Tommi Maekilae

**Name of the Vulnerable Software and Affected Versions** Open5GS GTP versions prior to 2.4.13 Open5GS GTP versions prior to 2.5.7 **Description** The issue is related to insufficient length validation in the Open5GS GTP library, which can cause an infinite loop when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages. This occurs when a protocol payload has any extension header length set to zero, resulting in denial of service and excessive resource consumption. The affected process becomes immediately unresponsive. **Recommendations** For versions prior to 2.4.13, update to version 2.4.13 or later. For versions prior to 2.5.7, update to version 2.5.7 or later. As a temporary workaround, consider restricting the parsing of extension headers in GPTv1-U messages to prevent infinite loops until a patch is available.