Free5GC UDM Improper Error Handling and HTTP Method Translation Vulnerability

A vulnerability exists in Free5GC UDM versions prior to 1.4.2, where the UDM incorrectly handles PATCH requests to the sdm-subscriptions endpoint with an empty supi path parameter. This mismanagement converts a 400 Bad Request response from the UDR into a 500 Internal Server Error, obscuring the nature of the error for clients. Additionally, the UDM mistakenly translates PATCH requests into PUT when forwarding to UDR, revealing a deeper architectural flaw. This issue exposes internal error handling practices, complicating clients' ability to differentiate between client-side and server-side errors.

Impact

This vulnerability leads to improper error handling, where client-induced errors are misrepresented as server failures. The incorrect translation of HTTP methods disrupts standard REST API practices, particularly for PATCH operations.

Reproduction

To reproduce this vulnerability, send a PATCH request to the UDM's Nudm_SubscriberDataManagement API at the sdm-subscriptions endpoint. Include an empty supi path parameter, which can be represented by double slashes in the URL. The UDM will respond with a 500 Internal Server Error, despite the request being malformed due to the empty parameter.

Remediation

Users should upgrade to Free5GC version 1.4.2 or later, where this issue has been fixed.