Key Information Vulnerability ID CVE-2025-44952 Description The function in the PPCP library, used by SMF and UPF in Open5GS 2.7.2 and earlier versions, lacks length checking. This allows a local attacker to trigger a buffer overflow by modifying the field to a value longer than 101 characters. Vulnerability Type Buffer Overflow Affected Product Open5Gs Affected Product Code Base Open5Gs 2.7.2 Affected Components smf, upf, open5gs-smf, open5gs-upf Attack Type Local Impact Buffer Overflow Attack Vector The attacker must be able to modify the configuration files of the affected network functions. Reference Links https://github.com/open5gs/open5gs/issues/3775 Confirmed Vulnerability Yes Discoverer Leonardo Segreto, Lorenzo Cannella Vulnerable Product Open5GS SMF, UPF v2.7.2 Reproduction Steps Static code analysis using FlawFinder revealed two potential buffer overflows in the PPCP library. The vulnerable function is used by SMF, UPF, SGWU, and SGWC components, making all of them potentially exploitable. The buffer overflow occurs due to the absence of length checks when copying the and fields from the configuration file. Sufficiently large input can overflow these buffers. To trigger the overflow: - A string longer than 32 characters is required to overflow the field. - A string longer than 101 characters is required to overflow the field. For easier testing, a 368-character-long string was used to overflow the field, simplifying validation.