CVE-2025-65559 is a vulnerability identified in Open5GS version 2.7.5-49-g465e90f, specifically within the User Plane Function (UPF) component responsible for handling PFCP (Packet Forwarding Control Protocol) messages. The issue occurs during the processing of a PFCP Session Establishment Request (message type 50). When the CreatePDR?PDI?F-TEID element has the CH flag set to 1, and the F-TEID address-family flags (indicating IPv4 or IPv6) do not correspond to the GTP-U resource family configured for the selected Data Network Name (DNN), an assertion in the function ogs_pfcp_object_teid_hash_set within lib/pfcp/context.c is triggered. This assertion failure is reachable and causes the UPF process to crash, resulting in a denial of service (DoS) condition. The vulnerability stems from improper validation of the F-TEID address-family flags against the expected GTP-U resource family, violating assumptions in the code and leading to an unhandled assertion. Exploitation requires no authentication or user interaction and can be performed remotely by sending crafted PFCP Session Establishment Requests to the UPF. The impact is limited to availability, as the crash disrupts packet forwarding and network session establishment, potentially causing service outages for subscribers relying on the affected UPF. The CVSS v3.1 base score is 7.5 (High), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high availability impact. No known exploits are reported in the wild yet, and no patches are currently linked, indicating the need for proactive mitigation and monitoring. The underlying CWE is CWE-617 (Reachable Assertion), highlighting the coding error that allows an attacker to trigger a fatal assertion failure. This vulnerability is critical for 5G core network operators using Open5GS, an open-source 5G core implementation increasingly adopted in various regions.

For European organizations, particularly telecom operators and 5G service providers deploying Open5GS as part of their 5G core network infrastructure, this vulnerability poses a significant risk to network availability. A successful exploit can crash the UPF, a critical component responsible for forwarding user plane traffic, leading to service disruptions affecting end-users and enterprise customers. This can result in degraded network performance, dropped sessions, and potential revenue loss. Additionally, denial of service conditions in core network elements can cascade, impacting other dependent network functions and services. Given the increasing reliance on 5G for critical communications, IoT, and industrial applications in Europe, such outages could have broader economic and operational consequences. The vulnerability does not compromise confidentiality or integrity but undermines trust in network reliability. Organizations operating multi-vendor or open-source 5G core stacks must prioritize identifying vulnerable UPF instances and implement mitigations to maintain service continuity.

1. Immediate mitigation involves implementing strict validation of PFCP Session Establishment Requests, specifically verifying that the F-TEID address-family flags align with the configured GTP-U resource family for the selected DNN before processing. 2. Network operators should deploy network-level filtering or rate limiting on PFCP traffic to the UPF to reduce exposure to malformed or malicious packets. 3. Monitor UPF logs and system health metrics for signs of assertion failures or crashes related to PFCP processing. 4. Engage with the Open5GS community or vendors for patches or updated releases addressing this vulnerability and plan prompt deployment once available. 5. Consider deploying redundant UPF instances and failover mechanisms to minimize service disruption in case of crashes. 6. Conduct thorough testing of PFCP message handling in staging environments to detect similar protocol parsing issues. 7. Review and update security policies to include anomaly detection for unusual PFCP traffic patterns. 8. Educate network operations teams about this specific vulnerability and response procedures to reduce incident response times.