free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type…

free5GC, an open-source 5G core network implementation, contains a type-confusion vulnerability in its NRF OAuth2 token endpoint prior to version 4.2.2. The vulnerability exists in the POST /oauth2/token endpoint handler which incorrectly parses form data, treating most fields as PlmnId objects. This causes type mismatches that trigger panics when incompatible types are assigned. The endpoint can be remotely exploited through unauthenticated form-encoded requests, causing HTTP 500 errors and repeated denial of service. The vulnerability affects the NFs/nrf/internal/sbi/api_accesstoken.go file and has been fixed in version 4.2.2.