Giancannella

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The UDM component fails to validate the `supi` path parameter in six GET handlers of the `nudm-sdm` (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the `supi` parameter, causing the UDM to forward a malformed request to the UDR. This results in a 500 Internal Server Error response that exposes internal infrastructure details, including the internal UDR hostname, port, API path structure, and service naming conventions. The affected API endpoints are: - '/:supi/smf-select-data' (handled by `HandleGetSmfSelectData()`) - '/:supi' (handled by `HandleGetSupi()`) - '/:supi/trace-data' (handled by `HandleGetTraceData()`) - '/:supi/ue-context-in-smf-data' (handled by `HandleGetUeContextInSmfData()`) - '/:supi/nssai' (handled by `HandleGetNssai()`) - '/:supi/sm-data' (handled by `HandleGetSmData()`) **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict access to the `nudm-sdm` service endpoints to trusted networks to minimize the risk of internal infrastructure exposure.