CVE-2025-60638 Overview
A denial of service vulnerability has been discovered in Free5GC, an open-source 5G core network implementation. The vulnerability exists in Free5GC versions 4.0.0 and 4.0.1, allowing an unauthenticated attacker to cause service disruption through specially crafted POST requests targeting the Nnssf_NSSAIAvailability API. This API is part of the Network Slice Selection Function (NSSF) responsible for managing network slice availability information in 5G networks.
Critical Impact
Remote attackers can disrupt 5G core network operations by sending malicious requests to the NSSF component, potentially affecting network slice availability and subscriber services without requiring authentication.
Affected Products
- Free5GC version 4.0.0
- Free5GC version 4.0.1
- Deployments utilizing the Nnssf_NSSAIAvailability API endpoint
Discovery Timeline
- 2025-11-24 - CVE-2025-60638 published to NVD
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2025-60638
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), indicating that the Free5GC NSSF component fails to properly limit resource consumption when processing incoming requests. The Nnssf_NSSAIAvailability API, which handles Network Slice Selection Assistance Information availability notifications, does not implement adequate input validation or resource management controls.
The attack can be executed remotely over the network without requiring any authentication or user interaction. When exploited, the vulnerability results in complete unavailability of the affected service, disrupting 5G core network operations. The impact is limited to availability; there is no evidence that confidentiality or integrity of data can be compromised through this attack vector.
Root Cause
The root cause of this vulnerability lies in improper resource consumption controls within the Nnssf_NSSAIAvailability API handler. The NSSF component fails to implement proper request throttling, input size validation, or resource allocation limits when processing POST requests. This allows an attacker to exhaust server resources by sending specially crafted requests that trigger resource-intensive processing paths within the API handler.
Attack Vector
The attack exploits the network-accessible Nnssf_NSSAIAvailability API endpoint. An attacker can send crafted POST requests to this API, causing the NSSF service to consume excessive resources and become unresponsive. The attack requires no prior authentication, privileges, or user interaction, making it trivially exploitable from any network location with access to the API endpoint.
The exploitation mechanism targets the API's request processing logic, where malformed or oversized payloads can trigger resource exhaustion conditions. Further technical details regarding the specific payload structure can be found in the GitHub Issue #704 Discussion.
Detection Methods for CVE-2025-60638
Indicators of Compromise
- Abnormal volume of POST requests targeting the /nnssf-nssaiavailability/ API endpoint
- NSSF service crashes or restarts without apparent cause
- High CPU or memory utilization on systems running Free5GC NSSF components
- Connection timeouts or service unavailability affecting network slice operations
Detection Strategies
- Implement API request rate monitoring for the Nnssf_NSSAIAvailability endpoint to detect anomalous traffic patterns
- Configure application-level logging to capture malformed or oversized POST request payloads targeting NSSF APIs
- Deploy network intrusion detection rules to identify denial of service attack patterns against 5G core APIs
- Monitor Free5GC service health metrics including response times, error rates, and resource utilization
Monitoring Recommendations
- Enable detailed access logging for all NSSF API endpoints with request body inspection
- Set up automated alerts for NSSF service restarts or unresponsive states
- Implement resource consumption thresholds with alerting for CPU, memory, and connection pool exhaustion
- Review Free5GC logs for repeated failed or malformed API requests from single source addresses
How to Mitigate CVE-2025-60638
Immediate Actions Required
- Restrict network access to the Nnssf_NSSAIAvailability API endpoint using firewall rules or network segmentation
- Implement rate limiting on API gateway or reverse proxy in front of Free5GC services
- Monitor for updates from the Free5GC project and apply patches when available
- Consider temporarily disabling the affected API endpoint if not critical to operations
Patch Information
As of the last update on 2025-12-01, review the GitHub Free5GC Repository for the latest releases and security patches. Monitor the GitHub Issue #704 Discussion for updates on the fix status and recommended remediation steps from the Free5GC maintainers.
Workarounds
- Deploy an API gateway or web application firewall (WAF) to filter and rate-limit requests to NSSF endpoints
- Implement network segmentation to limit exposure of 5G core APIs to trusted network zones only
- Configure container or process resource limits to prevent complete system exhaustion during attack attempts
- Enable request payload size limits at the reverse proxy or load balancer level
# Example: Rate limiting configuration for nginx reverse proxy
# Add to server block protecting Free5GC NSSF API
limit_req_zone $binary_remote_addr zone=nssf_limit:10m rate=10r/s;
location /nnssf-nssaiavailability/ {
limit_req zone=nssf_limit burst=20 nodelay;
limit_req_status 429;
client_max_body_size 1m;
proxy_pass http://free5gc-nssf:8000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
