free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2.
The NEF component mounts the nnef-oam route group without middleware verifying OAuth2 token or bearer token on the incoming side. This means HTTP requests to this route group are accepted and processed regardless of the presence or validity of the authorization header. Although the current OAM handler is a stub returning null, the defect is structural and affects the entire route group — any future OAM operation added to this group automatically inherits the missing authorization boundary. In this way, the vulnerability has the potential to expand its scope with code development.
An attacker with access to the SBI interface can gain unauthorized access to management operations (OAM) without any credentials, creating a risk of compromising the integrity and availability of the 5G core network and exposing configuration data once new operations are added to the route group.
Update free5GC to version 4.2.2, where the vulnerability has been fixed. Details available in the official project security advisory and pull request #23 in the nef repository.
free5GC (open-source 5G core network implementation) — NEF component, all versions before 4.2.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HFree5gc
APPFree5Gc< 4.2.2
Related vulnerabilities
free5GC NEF: brak autoryzacji OAuth2 na trasach nnef-pfdmanagement
free5GC SMF: brak autoryzacji OAuth2 na endpointach UPI — pełny dostęp bez uwierzytelnienia
Brak autoryzacji OAuth2 w API NEF systemu free5GC (5G core)
Brak autoryzacji OAuth2 w NEF API sieci 5G (free5GC)
Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different acti...