CVE-2025-66719 Overview
A critical authorization bypass vulnerability has been discovered in Free5gc NRF (Network Repository Function) version 1.4.0. The vulnerability exists in the access-token generation logic where the AccessTokenScopeCheck() function in internal/sbi/processor/access_token.go fails to properly validate scope parameters when an attacker supplies a specially crafted targetNF value. This flaw allows attackers to completely bypass scope validation and obtain access tokens with any arbitrary scope, potentially compromising the entire 5G core network infrastructure.
Critical Impact
Attackers can bypass authentication scope validation to obtain access tokens with arbitrary permissions, enabling unauthorized access to 5G network functions and services.
Affected Products
- Free5gc NRF 1.4.0
- Free5gc 5G Core Network deployments using vulnerable NRF versions
Discovery Timeline
- 2026-01-23 - CVE CVE-2025-66719 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-66719
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization), which occurs when software fails to properly enforce authorization checks on resources or actions. In the context of Free5gc NRF, the access token generation mechanism contains a critical flaw that allows complete circumvention of scope validation controls.
The Free5gc Network Repository Function (NRF) is responsible for service discovery and access token generation within 5G core network architectures. Access tokens are essential for authenticating and authorizing network functions to communicate with each other. The vulnerability undermines this critical security mechanism.
When the AccessTokenScopeCheck() function receives a maliciously crafted targetNF parameter, it bypasses all scope validation logic. This means an attacker can request and receive access tokens with permissions they should not have, enabling unauthorized access to other network functions and their services.
Root Cause
The root cause lies in improper input validation within the AccessTokenScopeCheck() function located in internal/sbi/processor/access_token.go. The function fails to properly handle edge cases or malformed targetNF values, resulting in the scope validation logic being completely bypassed rather than failing securely.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker with network access to the NRF service can craft malicious requests containing specially formed targetNF parameter values. When processed by the vulnerable AccessTokenScopeCheck() function, these requests bypass all scope validation checks, allowing the attacker to obtain access tokens with arbitrary permissions.
The vulnerability allows attackers to:
- Craft malicious token requests with a specially formed targetNF value
- Bypass the AccessTokenScopeCheck() function's validation logic entirely
- Obtain access tokens with any requested scope permissions
- Use these tokens to access other 5G network functions without proper authorization
Technical details and proof of concept information can be found in the GitHub Issue #736 and the corresponding GitHub Pull Request #73 which addresses the fix.
Detection Methods for CVE-2025-66719
Indicators of Compromise
- Unusual access token requests containing malformed or unexpected targetNF parameter values
- Access tokens being generated with elevated or unexpected scope permissions
- Anomalous network function access patterns indicating unauthorized service calls
- Unexpected cross-service communications between network functions that should not interact
Detection Strategies
- Monitor NRF access token generation logs for requests with abnormal targetNF values or unusual scope combinations
- Implement input validation monitoring on the NRF API endpoints to detect malformed requests
- Deploy network traffic analysis to identify unauthorized network function communications
- Review access token audit logs for tokens granted with permissions inconsistent with normal operational patterns
Monitoring Recommendations
- Enable detailed logging for all access token generation requests in the NRF component
- Implement alerting on access token requests that bypass expected validation patterns
- Monitor for lateral movement between network functions using potentially compromised tokens
- Establish baseline metrics for normal token scope distributions to detect anomalies
How to Mitigate CVE-2025-66719
Immediate Actions Required
- Update Free5gc NRF to the latest patched version immediately
- Review all recently generated access tokens for potentially compromised credentials
- Implement network segmentation to restrict access to NRF endpoints
- Monitor for any suspicious access patterns that may indicate exploitation
Patch Information
A patch has been developed to address this vulnerability. The fix is available through GitHub Pull Request #73 in the NRF repository. Organizations should apply this patch or update to a version of Free5gc NRF that incorporates this fix.
Additional details about the vulnerability and remediation are available in GitHub Issue #736.
Workarounds
- Implement network-level access controls to restrict which systems can communicate with the NRF service
- Deploy a Web Application Firewall (WAF) or API gateway with custom rules to validate and sanitize targetNF parameters before they reach the NRF
- Enable strict input validation at the network perimeter for all incoming NRF API requests
- Consider isolating the NRF service in a restricted network segment while awaiting patch deployment
# Network segmentation example using iptables
# Restrict NRF access to authorized network functions only
iptables -A INPUT -p tcp --dport 29510 -s <authorized_nf_ip_range> -j ACCEPT
iptables -A INPUT -p tcp --dport 29510 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
