Critical Vulnerability Information Vulnerability Description Core Issue: In free5GC, when the requester sets to "NRF", the function bypasses all scope validation. Impact: Any Network Function (NF), including those not authorized to access specific services, can obtain an access token with arbitrary scopes by setting in the access token request. This leads to privilege escalation, such as UDM gaining access to sensitive scopes (e.g., , ), and using malicious tokens to access protected UDM endpoints. How to Reproduce 1. Use to request an access token by setting to NRF and including privileged scopes. 2. Observe that the requested scope token is issued. 3. Use the obtained token to call a protected UDM SDM API. 4. Observe that the request is accepted instead of being rejected, resulting in privilege escalation. Expected Behavior NRF should enforce full scope validation under all circumstances. Validate whether the requesting NF has permission to access the requested scope. Setting should not disable scope checking. Unauthorized NFs should receive an HTTP 403 Forbidden or OAuth error response (invalid_scope). Environment free5GC Version: v4.1.0 Operating System: Ubuntu 20.04 LTS Kernel Version: 5.8.0-63-generic Go Version: 1.24-bullseye linux/amd64 Configuration Files configs.zip Fix Status The fix has been implemented and is awaiting review. Code changes can be tracked in the associated Pull Request. Verified through testing: after the fix, out-of-scope requests are now correctly rejected. CVE Identifier This vulnerability has been reported as CVE-2025-66719.