Volerion logoVolerion
Volerion logoVolerion

free5GC NRF Type-Confusion Vulnerability in OAuth2 Token Endpoint Causes Denial-of-Service

Vulnerability

A type-confusion vulnerability has been identified in free5GC's Network Repository Function (NRF) implementation, specifically in versions through 4.2.1. The issue resides in the root Service-Based Interface (SBI) endpoint POST /oauth2/token, which is the token-issuance endpoint and intentionally unauthenticated. The vulnerability arises from the endpoint's parser, which mishandles structured form data by treating certain fields as models.PlmnId, leading to runtime panics when the data type does not match the expected format. This flaw can be exploited by sending a single unauthenticated form-encoded request that includes one of the confirmed crashing fields, causing the server to respond with an HTTP 500 error. The vulnerability is repeatable and can be used to degrade the token issuance process by amplifying request failures, generating stack traces, and polluting the server logs.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition on the NRF's OAuth2 token endpoint. The type-confusion error causes the server to panic, but the Gin framework recovers from the panic and returns a 500 Internal Server Error response. However, the panic generates a stack trace that is logged, creating a log-writing overhead. This vulnerability can be repeatedly triggered, causing a sustained attack effect that degrades the token issuance process and disrupts normal logging operations.

Reproduction

The vulnerability can be reproduced by sending a POST request to the NRF's OAuth2 token endpoint with the Content-Type set to application/x-www-form-urlencoded. Include one of the structured fields that trigger the type-confusion error, such as 'requesterPlmnList', 'requesterSnssaiList', 'requesterSnpnList', 'targetSnpn', 'targetSnssaiList', or 'targetNsiList'. Each of these fields, when populated with a valid PLMN identifier, will cause the server to respond with a 500 Internal Server Error, indicating that the request parsing failed due to a type mismatch.

Remediation

Users can upgrade to free5GC version 4.2.2, which addresses the type-confusion vulnerability in the NRF OAuth2 token endpoint.

Added: May 28, 2026, 4:16 AM
Updated: May 28, 2026, 4:16 AM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
2.5
exploitability
9.1
remediation
7.7
relevance
9.1
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.