6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-60633

CVE-2025-60633: Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-60633

CVE-2025-60633:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/free5gc/udm	go	<= 1.4.0
github.com/free5gc/openapi	go	< 1.2.2	1.2.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability consists of multiple Denial of Service vectors within the Free5GC UDM's Nudm_SubscriberDataManagement API. The root cause across all identified functions is a failure to properly validate and handle user-controllable input. Specifically:

Index Out of Range Panic: In Server.HandleGetSharedData, the code directly accessed an element from a slice populated by a URL query parameter (supported-features) without first checking if the slice was empty. An attacker could omit this parameter, causing an 'index out of range' panic that crashes the service.
Improper Input Unmarshalling: In Processor.GetSmDataProcedure, the single-nssai parameter was unmarshalled from JSON without adequate error handling. A malformed JSON string would cause an unhandled error, resulting in a panic and service termination.
Missing Input Validation: In Processor.SubscribeToSharedDataProcedure, the NfInstanceId field was used without being validated for presence or correct format (UUID). A missing or invalid ID would lead to an internal server error and crash, as downstream logic likely depends on a valid ID.

In all cases, an attacker with network access to the API could send specially crafted requests to trigger these conditions, causing the UDM process to crash and resulting in a Denial of Service.

Vulnerable functions

Server.HandleGetSharedData

internal/sbi/api_subscriberdatamanagement.go

The function was vulnerable to a panic due to an 'index out of range' error. It directly accessed `supportedFeatures[0]` without checking if the `supported-features` query parameter was provided. If the parameter was omitted, the `supportedFeatures` slice would be empty, causing a panic that would crash the service.

Processor.GetSmDataProcedure

internal/sbi/processor/subscriber_data_management.go

The function attempted to unmarshal the `Snssai` parameter without proper error handling for malformed input. Sending a request with an invalid JSON string for the 'single-nssai' parameter would cause an unhandled error, leading to a system failure and Denial of Service. The patch adds a check for malformed input and returns a `400 Bad Request` instead of crashing.

Processor.SubscribeToSharedDataProcedure

internal/sbi/processor/subscriber_data_management.go

The function did not validate the `NfInstanceId` within the `sdmSubscription` object. Sending a request with a missing or malformed `NfInstanceId` would cause an internal server error (HTTP 500), leading to a Denial of Service. The patch adds validation to ensure the `NfInstanceId` is present and is a valid UUID, returning a `400 Bad Request` if it is not.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-60633: Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API

CVE-2025-60633:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

6.5

6.5

CVE-2025-60633: Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI