Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability resides in the UDR service’s PUT endpoint /nudr-dr/v2/policy-data/subs-to-notify/{subsId}. The handler `HandlePolicyDataSubsToNotifySubsIdPut` in `api_datarepository.go` fails to abort execution after request body retrieval or deserialization errors. Normally, the handler reads the HTTP body via c.GetRawData(). If this fails, it sends an HTTP 500 error but does not return. Similarly, it calls openapi.Deserialize(policyDataSubscription, reqBody, "application/json"); on failure, it sends an HTTP 400 error yet again without returning. Consequently, execution proceeds to s.Processor().PolicyDataSubsToNotifySubsIdPutProcedure(c, subsId, policyDataSubscription), even when the `policyDataSubscription` object is empty, partially initialized, or malformed. The deserialization call passes the object by value instead of a pointer, compounding the risk. This fail-open behavior allows an attacker to send malformed or empty request bodies, causing the processor to potentially update an existing policy data notification subscription with invalid data. Unlike safer handlers in the same file that explicitly `return` after errors, this handler continues, leading to unintended modifications. The issue is write-capable and affects subscription data identified by subsId. Static analysis confirms the code path; runtime proof of arbitrary modification is pending but plausible. A patch requires adding `return` statements after each error response and passing a pointer to openapi.Deserialize.
dailycve form:
Platform: free5GC UDR
Version: Not specified
Vulnerability: Fail-open request handling
Severity: Critical
date: Not disclosed
Prediction: 2 weeks
What Undercode Say:
Analytics
Check vulnerable handler in free5GC UDR
grep -n "HandlePolicyDataSubsToNotifySubsIdPut" NFs/udr/internal/sbi/api_datarepository.go
Verify missing return statements after error responses
awk '/GetRawData/,/return/ {if(/c.JSON.500/ && !/return/) print "Missing return at line " NR}' api_datarepository.go
Test with malformed PUT request
curl -X PUT http://<udr-ip>:<port>/nudr-dr/v2/policy-data/subs-to-notify/test123 -H "Content-Type: application/json" -d 'invalid json' -v
Exploit:
Send a PUT request with empty body or malformed JSON to the vulnerable endpoint. The server returns an error (500 or 400) but still processes the request, potentially overwriting the subscription with default/uninitialized data.
Protection from this CVE:
Apply patch adding `return` after each error response in HandlePolicyDataSubsToNotifySubsIdPut. Change deserialization to pass pointer (&policyDataSubscription). Upgrade to free5GC version with fix or manually modify source as shown in the .
Impact:
Unintended modification or deletion of Policy Data notification subscriptions. May lead to inconsistent network policy enforcement, denial of service, or unauthorized subscription changes depending on downstream storage validation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

