CVE-2025-55904 – Open5GS v2.7.5 is vulnerable to a NULL pointer ... (How to Fix)

Q: What is the severity of CVE-2025-55904?

CVE-2025-55904 has a CVSS score of 4.0 (MEDIUM). Open5GS v2.7.5 is vulnerable to a NULL pointer dereference when receiving multipart/related HTTP POST requests with empty bodies to its Service-Based Interface (SBI). This causes a denial of service by crashing affected network functions (AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR). Organizations running Open5GS for 5G core networks are affected.

📋 TL;DR

Open5GS v2.7.5 is vulnerable to a NULL pointer dereference when receiving multipart/related HTTP POST requests with empty bodies to its Service-Based Interface (SBI). This causes a denial of service by crashing affected network functions (AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR). Organizations running Open5GS for 5G core networks are affected.

💻 Affected Systems

Products:

Open5GS

Versions: v2.7.5 and earlier versions prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615

Operating Systems: Linux, Unix-like systems where Open5GS runs

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable version with SBI interfaces enabled are affected. The vulnerability affects multiple 5G core network functions.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of affected 5G core network functions, potentially impacting mobile network availability for subscribers.

🟠

Likely Case

Intermittent service crashes requiring manual restart of affected components, causing temporary service degradation.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: MEDIUM - SBI interfaces may be exposed to untrusted networks in some deployments, but typically sit behind firewalls.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could trigger the crash, affecting 5G service availability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests to the SBI interface. No authentication is required if the interface is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615 or later

Vendor Advisory: https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b64615

Restart Required: Yes

Instructions:

1. Update Open5GS to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615 or later. 2. Rebuild from source if using source installation. 3. Restart all affected Open5GS services (AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, UDR).

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to SBI interfaces using firewalls or network ACLs to only trusted systems.

Input Validation Proxy

all

Deploy a reverse proxy or WAF to filter multipart/related requests with empty bodies before they reach Open5GS.

🧯 If You Can't Patch

Implement strict network segmentation to isolate SBI interfaces from untrusted networks.
Deploy monitoring and automated restart mechanisms for Open5GS services to minimize downtime.

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version and commit hash. If running v2.7.5 with commit earlier than 67ba7f92bbd7a378954895d96d9d7b05d5b64615, you are vulnerable.

Check Version:

open5gs --version && git log --oneline -1

Verify Fix Applied:

Verify the commit hash includes 67ba7f92bbd7a378954895d96d9d7b05d5b64615 or later. Test by sending multipart/related POST requests with empty bodies to SBI interfaces - system should not crash.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from Open5GS processes
Unexpected service restarts of AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR
HTTP 500 errors or connection resets on SBI interfaces

Network Indicators:

HTTP POST requests with Content-Type: multipart/related and empty body to SBI ports
Sudden drop in 5G core network function availability

SIEM Query:

source="open5gs.log" AND ("segmentation fault" OR "crash" OR "SIGSEGV") OR source="network_traffic" AND http_method="POST" AND content_type="multipart/related" AND content_length=0

📊 Metadata

CVE ID: CVE-2025-55904

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-476

EPSS Score: 0.06% exploit probability (17th percentile)

Published: September 17, 2025

Last Updated: September 23, 2025

🔗 References

https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b64615 Patch
https://github.com/open5gs/open5gs/issues/3942 Exploit,Issue Tracking
https://github.com/tsiamoulis/vuln-research/tree/main/CVE-2025-55904 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55904, you might also want to check these: