free5GC UDM Input Validation Bypass Leading to URL Parse Error

Thinking Process: 1. Analyze the Request: Task: Translate a Chinese vulnerability intelligence summary to English. Role: Professional translator specializing in cybersecurity. Constraints: Maintain all Markdown formatting intact. Do not add any introductory or concluding remarks. Just output the English translation. Input: A Markdown-formatted text describing a vulnerability in free5GC (UDM component). 2. Analyze the Input Text: Title: (Vulnerability Key Information) Section 1: (Vulnerability Description) (Issue Type: Bug) (Module: UDM) (Description: UDM component lacks comprehensive input validation/cleaning on the ueId path parameter at the Nudm_UECM endpoint. When ueId contains control characters (e.g., URL-encoded NUL byte %00), the server decodes it and propagates the raw value to the downstream NUDR URL, causing URL parsing failure (net/url: invalid control character in URL).) (Relevance: Belongs to the same category as #750, but triggered differently.) Section 2: (Reproduction Steps) Steps 1-5 involving starting free5gC, checking IP/port, modifying nrfcfg.yaml, running curl command, and mentioning fuzzing seeds. Section 3: (Expected Behavior) Validate/clean ueId before processing. Reject control chars, invalid percent encoding, unexpected formats. Return appropriate 4xx client error with clear message. Avoid leaking internal implementation details. Section 4: (Environment) free5GC version, OS, Kernel, Go version. Section 5: (Impact) CWE-20. Attack Vector: Remote attacker injects control chars, triggers internal URL parsing error, exposes details, fingerprinting. Section 6: (Fix Status) Status: Fixed. Method: PR #76 implemented validation check for UE ID. Scope: All deployments using UDM Nudm_UECM service in free5GC v4.0.1. 3. Drafting the Translation (Iterative Process): Header: -> (or , but "Key Information" is standard). Let's use . Section 1: -> -> -> -> -> Section 2: -> 1. -> 2. -> 3. -> 4. -> Code block remains same. 5. -> Section 3: -> -> -> -> -> Section 4: -> -> -> -> -> Section 5: -> -> -> Section 6: -> (or ) -> -> -> 4. Review and Refine: Check Markdown syntax (bolding, headers, code blocks). Ensure technical terms are accurate (e.g., "fuzzing", "seeds", "percent encoding", "control characters"). Ensure tone is professional. Check specific terms: "Nudm_UECM", "NUDR", "ueId", "free5gC", "nrfcfg.yaml". These should remain as is. "Relevance" vs "Correlation": "相关性" in this context usually means "Related to" or "Relevance". "Related to" might be better, but "Relevance" fits the structure. Let's stick with "Relevance" or "Relation". "Related Issue" is common. The text says "与#750 属于同一类别". "Related to #750" is good. Let's use or . I will use or keep . Given the context of vulnerability reporting, is often used, but the source says . is a direct translation. Let's use for better flow in English security reports, or stick close to source . I'll choose as it sounds more natural for "Related to #750". Actually, looking at standard CVE templates, "Related" is common. Let's use . Wait, checking standard translations for "相关性" in vuln reports. Often "Related". Let's use . "Fuzzing seeds": "seeds" is correct terminology for fuzzing. "Non-3gpp-access": Keep as is. "go1.24.5": Keep as is. "PR #76": Keep as is. Refining "Relevance": "Relation" sounds better. "Related to #750". Refining "Fix Status": "Remediation Status" is very formal. "Fix Status" is direct. Let's use . Refining "Impact": "Impact" is standard. Refining "CWE 编号": "CWE ID" is standard. Re-checking Step 5: "由于进行了 HTTP 消息的模糊测试，提供了所有种子以帮助确认此问题。" -> "As HTTP message fuzzing was performed, all seeds are provided to assist in confirming this issue." Re-checking Description: "comprehensive input validation/cleaning" -> "comprehensive input validation/sanitization". "Cleaning" is okay, but "sanitization" is more technical. However, "清理" is often translated as "cleaning" or "sanitization". I will use "validation/sanitization" for professional tone. "propagates the raw value" -> "propagates the raw value". "URL parsing failure" -> "URL parsing failure". Re-checking Expected Behavior: "clear rather than technical message" -> "clear, non-technical message". Re-checking Environment: "Kernel Version". Re-checking Fix Status: "Scope" for "影响范围". 5. Final Polish: Ensure no extra text is added. Self-Correction on "Relevance": In vulnerability reports, "Related" is often used for "相关性". I will use . Self-Correction on "Cleaning": "Sanitization" is the industry standard term for input cleaning in security contexts. I will use "validation/sanitization". Self-Correction on "Seeds": "Fuzzing seeds" is correct. Let's assemble the markdown. curl -v "http://127.0.0.3:8000/nudm-uecm/v1/%00%00%00/registrations/amf-non-3gpp-access?supported-features=123" -H "Accept: application/json" Wait, check the markdown bolding in the original. Original: -> Original: -> Original: -> Original: -> (Or Relevance) Original: -> Original: -> Original: -> Original: -> Original: -> Origin

Goal Reached Thanks to every supporter — we hit 100%!

free5GC UDM Input Validation Bypass Leading to URL Parse Error

More from this source