Skip to main content

CVE-2025-29339: n/a in n/a

High
VulnerabilityCVE-2025-29339cvecve-2025-29339n-acwe-617
Published: Tue Apr 22 2025 (04/22/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

An issue in UPF in Open5GS UPF versions up to v2.7.2 results an assertion failure vulnerability in PFCP session parameter validation. When processing a PFCP Session Establishment Request with PDN Type=0, the UPF fails to handle the invalid value propagated from SMF (or via direct attack), triggering a fatal assertion check and causing a daemon crash.

AI-Powered Analysis

AILast updated: 06/21/2025, 17:21:53 UTC

Technical Analysis

CVE-2025-29339 is a high-severity vulnerability affecting the User Plane Function (UPF) component of Open5GS, an open-source implementation of 5G core network functions. Specifically, the vulnerability arises in UPF versions up to v2.7.2 during the processing of PFCP (Packet Forwarding Control Protocol) Session Establishment Requests. When the UPF receives a PFCP Session Establishment Request containing an invalid PDN (Packet Data Network) Type value of 0, it fails to properly validate this parameter. This improper validation triggers an assertion failure within the UPF, causing the daemon process to crash. The invalid PDN Type value can be propagated either from the Session Management Function (SMF) or introduced via a direct attack against the UPF. The root cause is a lack of robust input validation leading to a fatal assertion check failure (classified under CWE-617: Reachable Assertion). The vulnerability does not impact confidentiality or integrity directly but results in a denial of service (DoS) condition by crashing the UPF daemon, thereby disrupting user plane data forwarding in the 5G core network. The CVSS v3.1 base score is 7.5 (High), with attack vector Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), and high availability impact (A:H). No known exploits in the wild have been reported to date, and no official patches have been linked yet. The vulnerability is reserved as of March 11, 2025, and published on April 22, 2025. Given the critical role of UPF in 5G networks for data forwarding, this vulnerability could be exploited remotely to cause service disruption in affected deployments.

Potential Impact

For European organizations, particularly telecom operators and service providers deploying Open5GS UPF in their 5G core networks, this vulnerability poses a significant risk of service disruption. A successful exploitation results in a denial of service on the UPF, which can interrupt user data traffic, degrade network performance, and potentially impact large numbers of subscribers. This could lead to customer dissatisfaction, regulatory scrutiny, and financial losses. Enterprises relying on private 5G networks using Open5GS could also experience operational interruptions. The disruption of UPF services may affect critical infrastructure sectors that depend on 5G connectivity, such as manufacturing, transportation, and healthcare. Given the increasing adoption of 5G and open-source core network components in Europe, the vulnerability could have widespread operational impact if exploited. However, since no confidentiality or integrity impact is present, data breaches or unauthorized data manipulation are not immediate concerns. The lack of required privileges or user interaction means attackers can remotely trigger the crash, increasing the threat level. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks.

Mitigation Recommendations

1. Immediate monitoring of UPF daemon stability and logs for unexpected crashes or assertion failures related to PFCP session establishment requests is critical. 2. Implement network-level filtering to restrict and validate PFCP traffic sources, ensuring only trusted SMF entities can send session establishment requests to the UPF. 3. Deploy anomaly detection systems to identify malformed or suspicious PFCP messages, particularly those with invalid PDN Type values. 4. Engage with the Open5GS community and vendors to obtain and apply patches or updates addressing this vulnerability as soon as they become available. 5. Consider implementing redundancy and failover mechanisms for UPF instances to minimize service disruption in case of crashes. 6. Conduct thorough testing of UPF components in controlled environments with malformed PFCP messages to assess resilience and prepare incident response plans. 7. Limit exposure of UPF management and control interfaces to untrusted networks to reduce attack surface. 8. For organizations using custom or modified Open5GS deployments, review and harden PFCP parameter validation logic to prevent assertion failures. These steps go beyond generic advice by focusing on protocol-specific filtering, monitoring, and community engagement tailored to the unique characteristics of this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-03-11T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9847c4522896dcbf5be0

Added to database: 5/21/2025, 9:09:27 AM

Last enriched: 6/21/2025, 5:21:53 PM

Last updated: 8/14/2025, 8:26:38 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats