CVE-2026-33191

Name of the Vulnerable Software and Affected Versions Free5GC versions prior to 1.4.2

Description Free5GC is an open-source 5G mobile core network project. Versions prior to 1.4.2 are susceptible to a null byte injection issue in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the UDM's Nudm SubscriberDataManagement API. This causes a failure in URL parsing within Go’s net/url package, resulting in a 500 Internal Server Error. This can be exploited to launch denial of service attacks. Specifically, when the supi parameter includes null characters, the UDM attempts to construct a URL for UDR containing these characters. Go’s URL parser rejects these characters, causing the request to fail. The affected API endpoint is /nudm-sdm/v2/{supi}/am-data.

Recommendations Upgrade to Free5GC version 1.4.2 or later. As a temporary workaround, implement API gateway-level validation to reject requests containing null bytes in path parameters before they reach UDM.