CVE-2026-33065

EPSS 0.05%

free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request

發布日:2026/3/18修改日:2026/3/23
也稱為:GHSA-958m-gxmc-mccmGO-2026-4758

描述

**Impact** This is an Improper Error Handling vulnerability with Information Exposure implications. - **Security Impact**: The UDM incorrectly converts a downstream 400 Bad Request (from UDR) into a 500 Internal Server Error when handling DELETE requests with an empty `supi` path parameter. This leaks internal error handling behavior and makes it difficult for clients to distinguish between client-side errors and server-side failures. - **Functional Impact**: When a client sends a DELETE request with an empty `supi` (e.g., double slashes `//` in URL path), the UDM forwards the malformed request to UDR, which correctly returns 400. However, UDM propagates this as 500 SYSTEM_FAILURE instead of returning the appropriate 400 error to the client. This violates REST API best practices for DELETE operations. - **Affected Parties**: All deployments of free5GC v4.0.1 using the UDM Nudm_SDM service with DELETE operations on sdm-subscriptions endpoint. **Patches** Yes, the issue has been patched. The fix is implemented in PR free5gc/udm#79. Users should upgrade to the next release of free5GC that includes this commit. **Workarounds** There is no direct workaround at the application level. The recommendation is to apply the provided patch or implement API gateway-level validation to reject DELETE requests with empty path parameters before they reach UDM.

受影響套件(2)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

參考連結(6)