CVE-2025-60638
📋 TL;DR
This vulnerability in Free5GC allows attackers to cause denial of service by sending specially crafted POST requests to the Nnssf_NSSAIAvailability API. It affects Free5GC versions 4.0.0 and 4.0.1, potentially disrupting 5G core network services for operators using this open-source implementation.
💻 Affected Systems
- Free5GC
📦 What is this software?
Free5gc by Free5gc
Free5gc by Free5gc
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of the Free5GC instance, affecting all 5G core network functions and potentially causing widespread service outages for mobile network subscribers.
Likely Case
Temporary service degradation or unavailability of the NSSF (Network Slice Selection Function) component, impacting network slice management capabilities.
If Mitigated
Minimal impact with proper rate limiting, input validation, and network segmentation in place.
🎯 Exploit Status
Exploitation requires network access to the vulnerable API endpoint but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.0.2 or later
Vendor Advisory: https://github.com/free5gc/free5gc/issues/704
Restart Required: Yes
Instructions:
1. Update Free5GC to version 4.0.2 or later. 2. Stop all Free5GC services. 3. Replace the existing installation with the patched version. 4. Restart all Free5GC services.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the Nnssf_NSSAIAvailability API endpoint using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [NSSF_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [NSSF_PORT] -j DROP
Rate Limiting
allImplement rate limiting on the vulnerable API endpoint to prevent DoS attacks.
# Configure using web server or application firewall
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the NSSF component from untrusted networks.
- Deploy a web application firewall (WAF) with DoS protection rules in front of the vulnerable API endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if Free5GC version is 4.0.0 or 4.0.1 and the Nnssf_NSSAIAvailability API endpoint is accessible.Check Version:
free5gc versionVerify Fix Applied:
Verify Free5GC version is 4.0.2 or later and test the API endpoint with crafted POST requests to ensure it doesn't cause service disruption.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of POST requests to /nnssf-nssaiavailability endpoint
- Error logs indicating malformed requests or service crashes
Network Indicators:
- High volume of HTTP POST traffic to NSSF port
- Abnormal request patterns to the vulnerable API endpoint
SIEM Query:
source="free5gc" AND (uri_path="/nnssf-nssaiavailability" AND http_method="POST") | stats count by src_ip