7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-60638

CVE-2025-60638: NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST

An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIAvailability API.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-60638

CVE-2025-60638:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/free5gc/nssf	go	< 1.4.0	1.4.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security patch (commit 66fc727a894fa821fde14030346b18de69192204) clearly indicates the source of the vulnerability. The patch is located in the internal/sbi/processor/nssaiavailability_subscription.go file and modifies the NssaiAvailabilitySubscriptionCreate function. The change from if !subscription.SubscriptionData.Expiry.IsZero() to if subscription.SubscriptionData.Expiry != nil && !subscription.SubscriptionData.Expiry.IsZero() directly addresses the nil pointer dereference. This occurs when the Expiry field is not present in the NSSAIAvailability POST request, leading to a nil value for subscription.SubscriptionData.Expiry. The original code would then attempt to call IsZero() on a nil pointer, causing the NSSF to panic. Therefore, the Processor.NssaiAvailabilitySubscriptionCreate function is the vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

Processor.NssaiAvailabilitySubscriptionCreate

internal/sbi/processor/nssaiavailability_subscription.go

The vulnerability lies in the `NssaiAvailabilitySubscriptionCreate` function. When a POST request is made to the Nnssf_NSSAIAvailability API without an `expiry` field, the `subscription.SubscriptionData.Expiry` field is nil. The original code attempts to call the `IsZero()` method on this nil pointer, causing a panic and a denial of service.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-60638: NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST

CVE-2025-60638:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.5

7.5

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-60638: NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI