free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type…

free5GC, an open-source 5G core network implementation, contains a parser-level type-confusion vulnerability in its NRF root SBI endpoint POST /oauth2/token prior to version 4.2.2. The vulnerability exists in the handler located at NFs/nrf/internal/sbi/api_accesstoken.go which incorrectly processes field types, treating most fields as models.PlmnId regardless of their actual type. Attackers can exploit this remotely without authentication by sending malformed form-encoded requests to the endpoint, causing the application to panic when incompatible types are assigned. While Gin recovery converts panics to HTTP 500 errors, the endpoint remains vulnerable to repeated denial-of-service attacks. The vulnerability has been patched in version 4.2.2.