CVE-2025-69253 – The free5GC User Data Repository versions up to... (How to Fix)

📋 TL;DR

The free5GC User Data Repository versions up to 1.4.1 leak detailed internal parsing error messages through the NEF component. This allows remote attackers to perform service fingerprinting and gather intelligence about the 5G core network implementation. All deployments using the Nnef_PfdManagement service are affected.

💻 Affected Systems

Products:

free5GC User Data Repository

Versions: Versions up to and including 1.4.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the Nnef_PfdManagement service within the free5GC architecture.

📦 What is this software?

Udr by Free5gc

View all CVEs affecting Udr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal service structures, identify software versions, and use this intelligence to plan targeted attacks against the 5G core network.

🟠

Likely Case

Information disclosure that enables reconnaissance and service fingerprinting, potentially revealing implementation details that could aid in developing further exploits.

🟢

If Mitigated

Limited information exposure with proper error handling, preventing attackers from gaining insights into internal system architecture.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed requests to trigger parsing errors and observing the detailed error responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in free5gc/udr pull request 56

Vendor Advisory: https://github.com/free5gc/free5gc/security/advisories/GHSA-cj2h-x8qm-xgwc

Restart Required: Yes

Instructions:

1. Update free5GC UDR component to version containing commit 754d23b03755ad59077ed529ce3b971e477080c4
2. Apply the patch from pull request 56
3. Restart the UDR service
4. Verify error messages no longer contain internal parsing details

🔧 Temporary Workarounds

Network-level filtering

all

Implement network filtering to block or sanitize error messages before they reach external clients

🧯 If You Can't Patch

Implement reverse proxy or WAF to intercept and sanitize error responses
Restrict network access to Nnef_PfdManagement service to trusted internal networks only

🔍 How to Verify

Check if Vulnerable:

Send malformed JSON requests to the Nnef_PfdManagement endpoint and check if detailed parsing errors (like 'invalid character') are returned

Check Version:

Check free5GC UDR version or verify commit 754d23b03755ad59077ed529ce3b971e477080c4 is present

Verify Fix Applied:

After patching, send malformed requests and verify only generic error messages are returned without internal parsing details

📡 Detection & Monitoring

Log Indicators:

Detailed parsing error messages in application logs
Multiple malformed requests to Nnef_PfdManagement endpoints

Network Indicators:

Unusual patterns of malformed JSON requests to 5G core services
Detailed error responses containing parsing information

SIEM Query:

source="free5gc-udr" AND (message="invalid character" OR message="parsing error")

📊 Metadata

CVE ID: CVE-2025-69253

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-209

Published: February 24, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/free5gc/free5gc/issues/753 Exploit,Issue Tracking,Vendor Advisory
https://github.com/free5gc/free5gc/security/advisories/GHSA-cj2h-x8qm-xgwc Vendor Advisory
https://github.com/free5gc/udr/commit/754d23b03755ad59077ed529ce3b971e477080c4 Patch
https://github.com/free5gc/udr/pull/56 Issue Tracking,Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69253, you might also want to check these: