Free5GC UDM Null Byte Injection Vulnerability in Subscriber Data Management API

A null byte injection vulnerability has been identified in Free5GC versions prior to 1.4.2, specifically within the User Data Management (UDM) component's Nudm_SubscriberDataManagement API. This vulnerability allows remote attackers to inject null bytes, URL-encoded as %00, into the supi path parameter. The injection causes a URL parsing failure in Go's net/url package, leading to a 500 Internal Server Error. This issue can be exploited to perform denial-of-service attacks, as the UDM fails to properly validate the injected null characters before constructing URLs for the User Data Repository (UDR). All deployments of Free5GC v4.0.1 using the UDM Nudm_SDM service with endpoints that include path parameters are affected.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by injecting null bytes into the supi parameter, disrupting normal URL processing and error handling.

Remediation

Users are advised to upgrade to Free5GC version 1.4.2 or later, where this vulnerability has been fixed. The patch is available in the Free5GC UDM repository.