GHSA-585V-HCGF-JHFR

Vulnerability from github – Published: 2026-05-07 02:09 – Updated: 2026-05-07 02:09
VLAI
Summary
Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information
Details

Summary

The free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details.

Affected Package

  • Ecosystem: Go
  • Package: github.com/free5gc/udm
  • Affected versions: <= v1.4.2
  • Patched versions: none yet

Details

The following handlers in internal/sbi/api_subscriberdatamanagement.go do not call validator.IsValidSupi() before passing the supi parameter to the processor:

  • HandleGetSmfSelectDataGET /:supi/smf-select-data
  • HandleGetSupiGET /:supi
  • HandleGetTraceDataGET /:supi/trace-data
  • HandleGetUeContextInSmfDataGET /:supi/ue-context-in-smf-data
  • HandleGetNssaiGET /:supi/nssai
  • HandleGetSmDataGET /:supi/sm-data

By contrast, HandleGetAmData in the same file correctly validates the supi parameter:

// HandleGetAmData — correctly validates (not vulnerable)
supi := c.Params.ByName("supi")
if !validator.IsValidSupi(supi) {
    c.JSON(http.StatusBadRequest, problemDetail)
    return
}

// HandleGetSmfSelectData — missing validation (vulnerable)
supi := c.Params.ByName("supi")
// ← no validator.IsValidSupi(supi) call
s.Processor().GetSmfSelectDataProcedure(c, supi, plmnID, supportedFeatures)

The malformed supi is passed to the processor which constructs a URL to forward the request to UDR. Go's net/url parser rejects the URL containing control characters and returns an error. UDM catches this error and responds with a 500 SYSTEM_FAILURE that includes the full internal UDR URL in the detail field.

This is a missed fix of CVE-2026-27642, which applied the same validator.IsValidSupi() check only to internal/sbi/api_ueauthentication.go (HandleConfirmAuth and HandleGenerateAuthData), leaving the SDM service handlers unpatched.

Proof of Concept

# Vulnerable — returns 500 with internal UDR URL exposed
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/smf-select-data"
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/nssai"
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/trace-data"
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/sm-data"

# Expected (vulnerable) response:
# HTTP 500
# {
#   "title": "System failure",
#   "status": 500,
#   "detail": "parse \"http://udr.internal:80/nudr-dr/v2/subscription-data/imsi-22277\x00INJECTED//provisioned-data/smf-selection-subscription-data\": net/url: invalid control character in URL",
#   "cause": "SYSTEM_FAILURE"
# }

# Protected endpoint (for comparison) — returns 400
curl "http://<UDM_HOST>/nudm-sdm/v2/imsi-22277%00INJECTED/am-data"
# HTTP 400
# {"title":"Malformed request syntax","status":400,"detail":"Supi is invalid","cause":"MANDATORY_IE_INCORRECT"}

Impact

An unauthenticated remote attacker can send a crafted GET request to any of the six affected endpoints to obtain:

  1. Internal UDR hostname and port
  2. Full internal API path structure (/nudr-dr/v2/subscription-data/...)
  3. UDR API version
  4. Internal service naming convention

This information can be used to facilitate further attacks against the UDR or other internal 5G core components.

Recommended Fix

Add validator.IsValidSupi() to all six affected handlers, following the pattern already used in HandleGetAmData:

supi := c.Params.ByName("supi")
if !validator.IsValidSupi(supi) {
    problemDetail := models.ProblemDetails{
        Title:  "Malformed request syntax",
        Status: http.StatusBadRequest,
        Detail: "Supi is invalid",
        Cause:  "MANDATORY_IE_INCORRECT",
    }
    c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status)))
    c.JSON(int(problemDetail.Status), problemDetail)
    return
}
Severity
7.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/free5gc/udm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-07T02:09:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe free5GC UDM component fails to validate the `supi` path parameter in six GET handlers of the `nudm-sdm` (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a `500 Internal Server Error` response that exposes internal infrastructure details.\n\n## Affected Package\n\n- **Ecosystem**: Go\n- **Package**: `github.com/free5gc/udm`\n- **Affected versions**: `\u003c= v1.4.2`\n- **Patched versions**: none yet\n\n## Details\n\nThe following handlers in `internal/sbi/api_subscriberdatamanagement.go` do not call `validator.IsValidSupi()` before passing the `supi` parameter to the processor:\n\n- `HandleGetSmfSelectData` \u2014 `GET /:supi/smf-select-data`\n- `HandleGetSupi` \u2014 `GET /:supi`\n- `HandleGetTraceData` \u2014 `GET /:supi/trace-data`\n- `HandleGetUeContextInSmfData` \u2014 `GET /:supi/ue-context-in-smf-data`\n- `HandleGetNssai` \u2014 `GET /:supi/nssai`\n- `HandleGetSmData` \u2014 `GET /:supi/sm-data`\n\nBy contrast, `HandleGetAmData` in the same file correctly validates the `supi` parameter:\n\n```go\n// HandleGetAmData \u2014 correctly validates (not vulnerable)\nsupi := c.Params.ByName(\"supi\")\nif !validator.IsValidSupi(supi) {\n    c.JSON(http.StatusBadRequest, problemDetail)\n    return\n}\n\n// HandleGetSmfSelectData \u2014 missing validation (vulnerable)\nsupi := c.Params.ByName(\"supi\")\n// \u2190 no validator.IsValidSupi(supi) call\ns.Processor().GetSmfSelectDataProcedure(c, supi, plmnID, supportedFeatures)\n```\n\nThe malformed `supi` is passed to the processor which constructs a URL to forward the request to UDR. Go\u0027s `net/url` parser rejects the URL containing control characters and returns an error. UDM catches this error and responds with a `500 SYSTEM_FAILURE` that includes the full internal UDR URL in the `detail` field.\n\n**This is a missed fix of CVE-2026-27642**, which applied the same `validator.IsValidSupi()` check only to `internal/sbi/api_ueauthentication.go` (`HandleConfirmAuth` and `HandleGenerateAuthData`), leaving the SDM service handlers unpatched.\n\n## Proof of Concept\n\n```bash\n# Vulnerable \u2014 returns 500 with internal UDR URL exposed\ncurl \"http://\u003cUDM_HOST\u003e/nudm-sdm/v2/imsi-22277%00INJECTED/smf-select-data\"\ncurl \"http://\u003cUDM_HOST\u003e/nudm-sdm/v2/imsi-22277%00INJECTED/nssai\"\ncurl \"http://\u003cUDM_HOST\u003e/nudm-sdm/v2/imsi-22277%00INJECTED/trace-data\"\ncurl \"http://\u003cUDM_HOST\u003e/nudm-sdm/v2/imsi-22277%00INJECTED/sm-data\"\n\n# Expected (vulnerable) response:\n# HTTP 500\n# {\n#   \"title\": \"System failure\",\n#   \"status\": 500,\n#   \"detail\": \"parse \\\"http://udr.internal:80/nudr-dr/v2/subscription-data/imsi-22277\\x00INJECTED//provisioned-data/smf-selection-subscription-data\\\": net/url: invalid control character in URL\",\n#   \"cause\": \"SYSTEM_FAILURE\"\n# }\n\n# Protected endpoint (for comparison) \u2014 returns 400\ncurl \"http://\u003cUDM_HOST\u003e/nudm-sdm/v2/imsi-22277%00INJECTED/am-data\"\n# HTTP 400\n# {\"title\":\"Malformed request syntax\",\"status\":400,\"detail\":\"Supi is invalid\",\"cause\":\"MANDATORY_IE_INCORRECT\"}\n```\n\n## Impact\n\nAn unauthenticated remote attacker can send a crafted GET request to any of the six affected endpoints to obtain:\n\n1. Internal UDR hostname and port\n2. Full internal API path structure (`/nudr-dr/v2/subscription-data/...`)\n3. UDR API version\n4. Internal service naming convention\n\nThis information can be used to facilitate further attacks against the UDR or other internal 5G core components.\n\n## Recommended Fix\n\nAdd `validator.IsValidSupi()` to all six affected handlers, following the pattern already used in `HandleGetAmData`:\n\n```go\nsupi := c.Params.ByName(\"supi\")\nif !validator.IsValidSupi(supi) {\n    problemDetail := models.ProblemDetails{\n        Title:  \"Malformed request syntax\",\n        Status: http.StatusBadRequest,\n        Detail: \"Supi is invalid\",\n        Cause:  \"MANDATORY_IE_INCORRECT\",\n    }\n    c.Set(sbi.IN_PB_DETAILS_CTX_STR, http.StatusText(int(problemDetail.Status)))\n    c.JSON(int(problemDetail.Status), problemDetail)\n    return\n}\n```",
  "id": "GHSA-585v-hcgf-jhfr",
  "modified": "2026-05-07T02:09:58Z",
  "published": "2026-05-07T02:09:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-h4wg-rp7m-8xx4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/free5gc/free5gc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/free5gc/udm/blob/v1.4.3/internal/sbi/api_subscriberdatamanagement.go"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.