GHSA-585v-hcgf-jhfr HIGH go/github.com/free5gc/udm

CVE: CVE-2026-42459

Summary

The free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details.

Affected Package

• Ecosystem: Go
• Package: github.com/free5gc/udm
• Affected versions: <= v1.4.2
• Patched versions: none yet

Details

The following handlers in internal/sbi/api_subscriberdatamanagement.go do not call validator.IsValidSupi() before passing the supi parameter to the processor:

• HandleGetSmfSelectData — GET /:supi/smf-select-data
• HandleGetSupi — GET /:supi
• HandleGetTraceData — GET /:supi/trace-data
• HandleGetUeContextInSmfData — GET /:supi/ue-context-in-smf-data
• HandleGetNssai — GET /:supi/nssai
• HandleGetSmData — GET /:supi/sm-data

By contrast, HandleGetAmData in the same file correctly validates the supi parameter:

// HandleGetAmData — correctly validates (not vulnerable)
supi := c.Params.ByName("supi")
if !validator.IsValidSupi(supi) {
    c.JSON(http.StatusBadRequest, problemDetail)
    return
}

// HandleGetSmfSelectData — missing validation (vulnerable)
supi := c.Params.ByName("supi")
// ← no validator.IsValidSupi(supi) call
s.Processor().GetSmfSelectDataProcedure(c, supi, plmnID, supportedFeatures)

The malformed supi is passed to the processor which constructs a URL to forward the request to UDR. Go's net/url parser rejects the URL containing control characters and returns an error. UDM catches this error and responds with a 500 SYSTEM_FAILURE that includes the full internal UDR URL in the detail field.

This is a missed fix of CVE-2026-27642, which applied the same validator.IsValidSupi() check only to internal/sbi/api_ueauthentication.go (HandleConfirmAuth and

📌 来源: GitHub-Advisory | 🆔 CVE-2026-42459 | 📅 2026-05-07