free5GC UDR Service Improper Path Validation Vulnerability Allows Unauthenticated Subscription Manipulation

A vulnerability exists in the free5GC UDR service in versions through 4.2.1, where improper path validation allows unauthenticated attackers to create or overwrite Traffic Influence Subscriptions. The issue arises because the handler for the subscription endpoint does not properly validate the influenceId path segment. Instead of rejecting invalid values, it sends a 404 response and continues processing the request, allowing attackers to inject arbitrary notificationUri values and SUPIs by exploiting the flaw.

Impact

Exploitation of this vulnerability allows unauthorized, unauthenticated users to manipulate Traffic Influence Subscriptions, potentially disrupting network policy logic or redirecting policy-related notifications. The vulnerability could be exploited without detection, as the API response falsely indicates a failed operation.

Reproduction

To reproduce this vulnerability, send a PUT request to the UDR service's influenceData endpoint with an invalid influenceId. Include a payload that specifies a notificationUri and a SUPI. The UDR service will respond with a 404 Not Found message, but the subscription data will still be created or overwritten, including the injected notificationUri and SUPI values.

Remediation

Users can upgrade to free5GC version 4.2.2 or later, where this vulnerability has been patched by correcting the path validation logic.