free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token…

free5GC, an open-source 5G core network implementation, contains a critical authorization bypass vulnerability in versions prior to 4.2.2. The Session Management Function (SMF) component mounts the UPI management route group without OAuth2/bearer-token authorization middleware. This allows network attackers who can reach the SMF on the Service Based Interface (SBI) to access UPI endpoints without any authorization headers. The vulnerability enables unauthorized read, write, and delete operations on UP node links through various HTTP methods. The issue was demonstrated in a Docker lab environment and affects the core security of 5G network infrastructure. The vulnerability has been patched in version 4.2.2 of free5GC.