CVE-2025-29632 PoC — free5GC 安全漏洞

Source

https://github.com/OHnogood/CVE-2025-29632

Associated Vulnerability

Title:free5GC 安全漏洞 (CVE-2025-29632)
Description:free5GC是free5GC开源的一个第 5 代 (5G) 移动核心网络的开源项目。 free5GC 4.0.0版本存在安全漏洞，该漏洞源于AMF组件存在缓冲区溢出，可能导致拒绝服务。

Description

the information for the vulnerability covered by CVE-2025-29632

Readme

# CVE-2025-29632
the information for the vulnerability covered by CVE-2025-29632
## Affected versions: 4.0.0 and previous versions

<br>

## When free5gc processes the InitialUEMessage, it only checks whether the nASPDU reference is nil (i.e., whether it is a null pointer), but does not verify if the content of nASPDU is empty. This results in passing an empty byte array as a parameter when calling nas_security.DecodePlainNasNoIntegrityCheck(nASPDU.Value) during subsequent message parsing. In this function, accessing the NAS message security header fails due to the empty value, leading to an error and crash in the AMF.
<br>

### poc.py an exploit script
<br>

### ngap.pcap is the traffic packet after the script is executed, containing the data sent by the script and the server's response
<br>

### free5gc.log is the log content of free5gc before and after the attack. The vulnerability was triggered at 00:48:15.913618097+08:00 on March 07T, 2025, causing the AMF to crash

File Snapshot


 [4.0K]  /data/pocs/c4c0204ade26d5096a5cafcca172e64611ce0dad
├── [ 57K]  free5gc.log
├── [1.2K]  ngap.pcap
├── [1.6K]  poc.py
└── [ 985]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!