CVE-2025-65559 – A reachable assertion vulnerability in Open5GS ... (How to Fix)

Q: What is the severity of CVE-2025-65559?

CVE-2025-65559 has a CVSS score of 7.5 (HIGH). A reachable assertion vulnerability in Open5GS UPF component causes denial of service when processing malformed PFCP Session Establishment Requests with mismatched address-family flags. This affects Open5GS deployments using the UPF component, potentially disrupting 5G network services.

📋 TL;DR

A reachable assertion vulnerability in Open5GS UPF component causes denial of service when processing malformed PFCP Session Establishment Requests with mismatched address-family flags. This affects Open5GS deployments using the UPF component, potentially disrupting 5G network services.

💻 Affected Systems

Products:

Open5GS

Versions: 2.7.5-49-g465e90f and potentially earlier versions

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using UPF component with GTP-U resources configured for specific DNNs.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete UPF crash leading to denial of 5G user plane services for affected network slices, disrupting data connectivity for subscribers.

🟠

Likely Case

Targeted DoS attacks causing intermittent UPF crashes and service disruption for specific DNN configurations.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, allowing quick service restoration.

🌐 Internet-Facing: MEDIUM - PFCP interface may be exposed to core network elements but typically not directly internet-facing.

🏢 Internal Only: HIGH - Internal malicious actors or compromised network elements can trigger the crash.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to send PFCP messages to UPF, typically from within the 5G core network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest fix

Vendor Advisory: https://github.com/open5gs/open5gs/issues/4135

Restart Required: Yes

Instructions:

1. Monitor GitHub issue #4135 for official patch. 2. Update Open5GS to patched version. 3. Restart UPF service.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict PFCP access to trusted network elements only

iptables -A INPUT -p udp --dport 8805 -s trusted_ip -j ACCEPT
iptables -A INPUT -p udp --dport 8805 -j DROP

🧯 If You Can't Patch

Implement network monitoring for PFCP traffic anomalies
Deploy redundant UPF instances with load balancing to maintain service during crashes

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version and verify if UPF component is running vulnerable code from lib/pfcp/context.c

Check Version:

open5gs-upfd --version

Verify Fix Applied:

Test with malformed PFCP Session Establishment Request containing CH=1 and mismatched address-family flags

📡 Detection & Monitoring

Log Indicators:

UPF crash logs
Assertion failure in ogs_pfcp_object_teid_hash_set
PFCP session establishment failures

Network Indicators:

Unusual PFCP type=50 requests with CH=1 flag
Sudden drop in GTP-U traffic

SIEM Query:

source="open5gs-upf.log" AND "assertion failed" AND "ogs_pfcp_object_teid_hash_set"

📊 Metadata

CVE ID: CVE-2025-65559

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.07% exploit probability (21.8th percentile)

Published: December 18, 2025

Last Updated: January 6, 2026

🔗 References

https://github.com/open5gs/open5gs/issues/4135 Exploit,Issue Tracking,Vendor Advisory
https://github.com/open5gs/open5gs/issues/4135 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65559, you might also want to check these: