free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticat…

free5GC, an open-source 5G core network implementation, contains a critical authentication bypass vulnerability in versions prior to 4.2.2. The PCF Npcf_SMPolicyControl service is missing authentication middleware, allowing unauthenticated access to SM policy handlers. This enables attackers to access sensitive endpoints including /npcf-smpolicycontrol/v1/sm-policies and related routes without valid OAuth tokens. The vulnerability can lead to disclosure of subscriber SUPI (Subscription Permanent Identifier) information. The issue stems from the smPolicyGroup route group being created without attaching the RouterAuthorizationCheck middleware, unlike other PCF service groups. The vulnerability has been patched in version 4.2.2.