free5GC NEF/UDR Improper Error Handling Leads to Info Disclosure (CWE-209)

Thinking Process: 1. Analyze the Request: Role: Professional translator specializing in cybersecurity. Task: Translate a Chinese vulnerability intelligence summary to English. Constraints: Maintain all Markdown formatting intact. Do not add any introductory or concluding remarks. Just output the English translation. Input: A Markdown formatted text containing sections like "关键信息" (Key Information), "漏洞标题" (Vulnerability Title), "漏洞描述" (Vulnerability Description), etc. 2. Analyze the Input Text: Header: (Key Information) Sub-header: (Vulnerability Title) Content: (This part is already in English, keep as is). Sub-header: (Vulnerability Description) Content: Bullet points describing the issue (NEF returns 500 instead of 404, UDR generates invalid JSON). Sub-header: (Reproduction Steps) Content: Numbered list (Start free5gc, check IP/port, modify config, use curl, provide seeds). Sub-header: (Expected Behavior) Content: Bullet points (Return 4xx, clear error message, handle non-JSON downstream errors). Sub-header: (Environment) Content: List of versions (free5GC, OS, Kernel, Go). Sub-header: (Root Cause and Fix) Content: Bullet points (Missing return statement, PR submitted). Sub-header: (Impact) Content: Bullet points (CWE-388, CWE-209, Security impact, Functional impact). Sub-header: (Fix Status) Content: Bullet point (Commit hash, included in subsequent versions). 3. Translation Strategy: Terminology: Use standard cybersecurity and software development terminology (e.g., "Vulnerability", "Reproduction Steps", "Root Cause", "Impact", "Fix Status"). Formatting: Strictly preserve Markdown headers ( , ), lists ( , ), and code blocks (` ` 关键信息 Key Information 漏洞标题 Vulnerability Title 漏洞描述 Vulnerability Description 复现步骤 Reproduction Steps 期望行为 Expected Behavior 环境 Environment 根本原因及修复 Root Cause and Fix 影响 Impact 修复状态 Fix Status free5gc free5GC free5GC free5gc free5GC free5gc free5GC free5GC free5gc free5GC free5GC free5gc free5GC free5GC nrfcfg.yaml curl UDR NEF PFD Nnef_PfdManagement CWE-388 CWE-209 commit 91bb34b 关键信息 Key Information 漏洞标题 Vulnerability Title [Bugs] ... 漏洞描述 Vulnerability Description - 当请求的 不存在于 UDR 中时，NEF 返回 500 Internal Server Error，而不是 404 Not Found。 - When the requested does not exist in the UDR, NEF returns a 500 Internal Server Error instead of 404 Not Found. - UDR 没有正确处理下游 404 错误，而是生成了无效的 JSON 响应，导致 NEF 解析失败并返回 500 错误。 - The UDR did not handle the downstream 404 error correctly, but instead generated an invalid JSON response, causing NEF parsing to fail and return a 500 error. 复现步骤 Reproduction Steps 1. 启动 。 1. Start . free5gc free5GC free5GC 2. 检查 NEF 组件的 IP 和端口。 2. Check the IP and port of the NEF component. 3. 将 中的 设置为 。 3. Set to in . 4. 使用特定的 命令触发行为。 4. Use a specific command to trigger the behavior. 5. 提供所有种子以帮助确认问题。 5. Provide all seeds to help confirm the issue. 期望行为 Expected Behavior - 当请求的 PFD 数据不存在时（UDR 返回 404），NEF 应返回适当的 4xx 响应（最好为 404 Not Found）。 - When the requested PFD data does not exist (UDR returns 404), NEF should return an appropriate 4xx response (preferably 404 Not Found). - 提供清晰且无害的错误消息，不包含内部 JSON 解析错误。 - Provide a clear and harmless error message that does not contain internal JSON parsing errors. - 正确处理非 JSON 的下游错误体，避免将下游 404 视为系统故障。 - Correctly handle non-JSON downstream error bodies to avoid treating downstream 404s as system failures. 环境 Environment - free5GC 版本：v4.0.1 - free5GC Version: v4.0.1 - 操作系统：Ubuntu 20.04 Server - Operating System: Ubuntu 20.04 Server - 内核版本：6.8.0-47-generic - Kernel Version: 6.8.0-47-generic - Go 版本：go1.24.5 linux/amd64 - Go Version: go1.24.5 linux/amd64 根本原因及修复 Root Cause and Fix - UDR 中缺少 语句，导致了两个 JSON 值写入响应体，从而产生无效 JSON。 - A missing statement in the UDR caused two JSON values to be written to the response body, resulting in invalid JSON. - 提交了 PR 以修复此问题，并添加了缺失的 语句。 - A PR was submitted to fix this issue, adding the missing statement. 影响 Impact - 不适当的错误处理（CWE-388）导致信息暴露（CWE-209）。 - Improper error handling (CWE-388) leads to information disclosure (CWE-209). - 安全影响：NEF 泄露内部解析错误详细信息。 - Security Impact: NEF leaks internal parsing error details. - 功能影响：系统在应返回 404 时返回 500，阻碍故障排查。 - Functional Impact: The system returns 500 when it should return 404, hindering troubleshooting. 修复状态 Fix Status - 通过 commit 91bb34b 修复，已包含在后续版本中。 - Fixed via commit 91bb34b, included in subsequent versions. free5gc free5GC free5GC free5gc free5GC return return - 1. free5gc free5GC go1.24.5 go1.24.5 漏洞标题 [Bugs] NEF incorrectly returns 500... free5gc free5GC free5GC 关键信息 Critical Information Key Information Key Information Key Information 漏洞标题 Vulnerability Title 漏洞描述 Vulnerability Description 复现步骤 Reproduction Steps 期望行为 Expected Behavior 环境 Environment 根本原因及修复 Root Cause and Fix 影响 Impact 修复状态 Fix Status go1.24.5 go1.24.5 nrfcfg.yaml oauth curl appid PFD UDR NEF Nnef_PfdManagement CWE-388 CWE-209 commit 91bb34b Ubuntu 20.04 Server 6.8.0-47-generic linux/amd64 v4.0.1`. Keep as is. Okay

Goal Reached Thanks to every supporter — we hit 100%!

free5GC NEF/UDR Improper Error Handling Leads to Info Disclosure (CWE-209)

More from this source