CVE-2025-63288 Overview
A denial of service vulnerability exists in Open5GS version 2.7.6 where the Access and Mobility Management Function (AMF) crashes when processing a malformed NGSetupRequest message. This vulnerability (CWE-400: Uncontrolled Resource Consumption) allows remote attackers to disrupt 5G network core services by sending specially crafted NGAP protocol messages that bypass size validation checks for security capability fields.
Critical Impact
Remote attackers can crash the AMF component of Open5GS 5G core networks without authentication, causing complete disruption of 5G network access and mobility services for connected devices.
Affected Products
- Open5GS version 2.7.6
- Open5GS AMF (Access and Mobility Management Function) component
- Open5GS MME (Mobility Management Entity) component
Discovery Timeline
- 2025-11-10 - CVE-2025-63288 published to NVD
- 2025-12-11 - Last updated in NVD database
Technical Details for CVE-2025-63288
Vulnerability Analysis
The vulnerability resides in the NGAP message handler within the Open5GS AMF component. When processing NGSetupRequest messages from gNodeBs (5G base stations), the AMF fails to properly validate the size of Information Element (IE) fields related to UE Security Capabilities. Specifically, the fields nRencryptionAlgorithms, nRintegrityProtectionAlgorithms, eUTRAencryptionAlgorithms, and eUTRAintegrityProtectionAlgorithms are not validated against their expected sizes before processing.
This missing size validation allows an attacker to send malformed NGAP messages with incorrectly sized security algorithm fields, causing the AMF to crash when attempting to process the unexpected data. The attack can be executed remotely over the network without requiring any prior authentication or user interaction.
Root Cause
The root cause is improper input validation in the ngap-handler.c file within the AMF component. The code processes UESecurityCapabilities IE fields without first verifying that the size of each algorithm field matches the expected buffer size. When an abnormally sized field is received, the subsequent memory operations cause undefined behavior leading to a crash.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker with network access to the AMF's NGAP interface (typically the N2 interface in 5G architecture) can send a crafted NGSetupRequest message with malformed UE Security Capability fields. The attack targets the control plane of the 5G core network, making it particularly impactful for service availability.
// Security patch adding size validation for NGAP IE fields
// Source: https://github.com/open5gs/open5gs/commit/be765fe2b03e350836272eee5afb3931bdfb86d5
eUTRAintegrityProtectionAlgorithms =
&UESecurityCapabilities->eUTRAintegrityProtectionAlgorithms;
+ if (nRencryptionAlgorithms->size != sizeof(nr_ea)) {
+ ogs_error("Invalid nRencryptionAlgorithms->size = %d (expected %d)",
+ (int)nRencryptionAlgorithms->size,
+ (int)sizeof(nr_ea));
+ r = ngap_send_error_indication(
+ gnb, &ran_ue->ran_ue_ngap_id, &ran_ue->amf_ue_ngap_id,
+ NGAP_Cause_PR_protocol,
+ NGAP_CauseProtocol_message_not_compatible_with_receiver_state);
+ ogs_expect(r == OGS_OK);
+ ogs_assert(r != OGS_ERROR);
+ return;
+ }
+ if (nRintegrityProtectionAlgorithms->size != sizeof(nr_ia)) {
+ ogs_error("Invalid nRintegrityProtectionAlgorithms->size = %d "
+ "(expected %d)",
+ (int)nRintegrityProtectionAlgorithms->size,
+ (int)sizeof(nr_ia));
+ r = ngap_send_error_indication(
+ gnb, &ran_ue->ran_ue_ngap_id, &ran_ue->amf_ue_ngap_id,
+ NGAP_Cause_PR_protocol,
+ NGAP_CauseProtocol_message_not_compatible_with_receiver_state);
+ ogs_expect(r == OGS_OK);
+ ogs_assert(r != OGS_ERROR);
+ return;
+ }
+ if (eUTRAencryptionAlgorithms->size != sizeof(eutra_ea)) {
+ ogs_error("Invalid eUTRAencryptionAlgorithms->size = %d (expected %d)",
Source: GitHub Commit Note
Detection Methods for CVE-2025-63288
Indicators of Compromise
- Unexpected AMF process crashes or restarts in Open5GS deployments
- Error logs containing "Invalid nRencryptionAlgorithms->size" or similar size validation failures
- Unusual NGAP traffic patterns on the N2 interface, particularly malformed NGSetupRequest messages
- Repeated connection attempts from unknown or suspicious gNodeB identities
Detection Strategies
- Monitor AMF process stability and configure alerts for unexpected crashes or service restarts
- Implement NGAP protocol inspection at network boundaries to detect malformed messages with invalid IE field sizes
- Deploy intrusion detection rules to identify anomalous NGSetupRequest messages targeting the AMF interface
- Review Open5GS logs for NGAP_Cause_PR_protocol error indications that may signal exploitation attempts
Monitoring Recommendations
- Enable verbose logging on the AMF component to capture detailed NGAP message processing information
- Configure network monitoring tools to baseline normal NGAP traffic and alert on deviations
- Implement health checks for the AMF service with automatic alerting on availability issues
- Monitor system resources (memory, CPU) on hosts running Open5GS components for anomalies
How to Mitigate CVE-2025-63288
Immediate Actions Required
- Upgrade Open5GS to a version that includes commit be765fe2b03e350836272eee5afb3931bdfb86d5 or later
- Restrict network access to the AMF's NGAP interface to trusted gNodeBs only
- Implement network segmentation to isolate 5G core components from untrusted networks
- Configure service restart policies to maintain availability during potential attack attempts
Patch Information
The Open5GS project has released a security patch that adds proper size validation for NGAP/S1AP IE fields. The fix validates that security algorithm fields match their expected sizes before processing and returns an error indication to the sender if validation fails. The patch is available at the GitHub Commit Note. Additional context and discussion can be found in the GitHub Issue Discussion.
Workarounds
- Deploy a network firewall or security appliance in front of the AMF to filter malformed NGAP messages
- Implement rate limiting on the NGAP interface to reduce the impact of potential DoS attacks
- Use a reverse proxy or protocol gateway that can validate NGAP message structure before forwarding to the AMF
- Consider deploying redundant AMF instances to maintain service availability during attacks
# Configuration example - Restrict NGAP access to trusted gNodeBs using iptables
# Replace 192.168.1.0/24 with your trusted gNodeB subnet
# Allow NGAP traffic only from trusted gNodeB network
iptables -A INPUT -p sctp --dport 38412 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
# Enable logging for dropped NGAP connection attempts
iptables -A INPUT -p sctp --dport 38412 -j LOG --log-prefix "NGAP_BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
