CVE-2025-69251 – Remote attackers can inject control characters ... (How to Fix)

📋 TL;DR

Remote attackers can inject control characters into the ueId parameter of free5gc UDM's Nudm_UECM service, causing URL parsing errors that expose system implementation details. This vulnerability affects all deployments of free5GC using UDM versions up to and including 1.4.1, potentially aiding attackers in service fingerprinting and reconnaissance.

💻 Affected Systems

Products:

free5gc UDM (Unified Data Management)

Versions: Up to and including version 1.4.1

Operating Systems: All platforms running free5gc

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the UDM Nudm_UECM service are affected. The vulnerability is in the URL parsing logic when processing ueId parameter.

📦 What is this software?

Udm by Free5gc

View all CVEs affecting Udm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal system architecture, identify software versions, and gather intelligence for more sophisticated attacks against the 5G core network.

🟠

Likely Case

Information disclosure revealing system implementation details, enabling service fingerprinting and reconnaissance.

🟢

If Mitigated

Limited information exposure with proper network segmentation and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted requests with control characters (e.g., %00) to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in free5gc/udm pull request #76

Vendor Advisory: https://github.com/free5gc/free5gc/security/advisories/GHSA-pwxh-4qh4-hgpq

Restart Required: Yes

Instructions:

1. Update free5gc UDM component to include commit 504b14458d156558b3c0ade7107b86b3d5e72998
2. Rebuild and redeploy the UDM service
3. Restart all affected services

🔧 Temporary Workarounds

No application-level workaround

all

The vendor states no direct workaround is available at the application level. Network-level controls are recommended.

🧯 If You Can't Patch

Implement strict network segmentation to limit access to UDM services
Deploy WAF rules to block requests containing control characters in URL parameters

🔍 How to Verify

Check if Vulnerable:

Test by sending a request to Nudm_UECM endpoint with ueId parameter containing control characters like %00 and checking for URL parsing error responses.

Check Version:

Check free5gc UDM version in deployment configuration or via service logs

Verify Fix Applied:

After patching, repeat the test with control characters; requests should be properly rejected without exposing system details.

📡 Detection & Monitoring

Log Indicators:

URL parsing errors in UDM logs
net/url: invalid control character error messages
Unusual requests to Nudm_UECM endpoints

Network Indicators:

HTTP requests with control characters in URL parameters
Increased error responses from UDM services

SIEM Query:

source="udm.log" AND ("invalid control character" OR "net/url" OR "parsing error")

📊 Metadata

CVE ID: CVE-2025-69251

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-20

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/free5gc/free5gc/issues/751 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/free5gc/issues/76 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/free5gc/security/advisories/GHSA-pwxh-4qh4-hgpq Vendor Advisory
https://github.com/free5gc/udm/commit/504b14458d156558b3c0ade7107b86b3d5e72998 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69251, you might also want to check these: