Listen to this Post
The core of this vulnerability is a fail‑open flaw in the UDR service’s `HandlePolicyDataSubsToNotifyPost` function. This handler processes POST requests to `/nudr-dr/v2/policy-data/subs-to-notify` and is intended to create a Policy Data notification subscription only after a valid request body has been successfully read and parsed.
The flawed request flow proceeds as follows:
- The handler calls `c.GetRawData()` to retrieve the HTTP request body.
- If `GetRawData()` fails, the handler sends an HTTP 500 error response but does not return.
3. The handler then calls `openapi.Deserialize(policyDataSubscription, reqBody, “application/json”)`.
- If deserialization fails, the handler sends an HTTP 400 error response but again does not return.
- Regardless of the errors, execution continues and invokes
s.Processor().PolicyDataSubsToNotifyPostProcedure(c, policyDataSubscription).
Because the handler does not abort the request after a failure, the processor may receive an uninitialised, partially initialised, or otherwise unintended `PolicyDataSubscription` object. This differs from safer handlers in the same file that use a helper pattern to explicitly return on body read or deserialisation failures.
The exact runtime impact depends on downstream processor behaviour and storage validation, but at minimum this is a security‑relevant robustness flaw that can lead to inconsistent request handling and, under certain conditions, the creation of invalid or unintended subscription state. The code path has been statically confirmed, though a complete runtime proof of unintended subscription creation has not yet been established.
The recommended patch adds missing `return` statements after each error response and corrects the deserialisation call to pass a pointer to the destination object.Platform: free5GC UDR Version: 4.2.1 and below Vulnerability: Fail-open error handling Severity: Moderate date: 2026-04-21 Prediction: Patch available 2026-04-21
Analytics under What Undercode Say:
Check running UDR version
free5gc-udr --version
Simulate a malformed request to trigger fail-open behaviour
curl -X POST http://<udr-host>:29503/nudr-dr/v2/policy-data/subs-to-notify \
-H "Content-Type: application/json" \
-d '{"invalid": "json"}' \
-v
Monitor logs for error responses followed by continued processing
tail -f /var/log/free5gc/udr.log | grep -E "Get Request Body error|Deserialize Request Body error|PolicyDataSubsToNotifyPostProcedure"
Exploit:
An attacker can send a POST request to `/nudr-dr/v2/policy-data/subs-to-notify` with an invalid or empty body (e.g., {}). Despite the UDR returning an HTTP 400 or 500 error, the processor is still invoked with a malformed `PolicyDataSubscription` object. Depending on how the downstream processor and storage handle such objects, this may result in the creation of an unintended subscription or other inconsistent state.
Protection from this CVE:
- Apply the official patch that adds missing `return` statements and corrects the deserialisation call.
- Upgrade to a patched version of free5GC UDR (e.g., version >4.2.1).
- If patching is not immediately possible, implement a reverse proxy or API gateway that validates the request body before forwarding it to the UDR, rejecting malformed requests before they reach the vulnerable handler.
Impact:
- Inconsistent subscription state: The UDR may create subscriptions with empty, partially initialised, or invalid data, leading to unpredictable behaviour in the 5G core network.
- Bypass of input validation: Because execution continues after errors, the usual input validation and error‑handling mechanisms are effectively bypassed.
- Potential for further abuse: While the exact consequences depend on the downstream processor, this flaw could be chained with other issues to compromise the integrity of policy data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

