Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.0
CVE-2025-55904: Open5GS v2.7.5: Denial of Service via Empty HTTP Request
CVE-2025-55904
Summary
Open5GS, a 5G network software, is vulnerable to a denial of service (DoS) attack when it receives a specific type of empty HTTP request. This could cause the system to become unresponsive. Upgrade to version Open5GS v2.7.5 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| open5gs | open5gs |
< 2.7.6 cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* |
Original title
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to t...
Original description
Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of either AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, or UDR, resulting in a denial of service. This occurs in the parse_multipart function in lib/sbi/message.c.
nvd CVSS3.1
4.0
Vulnerability type
CWE-476
NULL Pointer Dereference
- https://github.com/open5gs/open5gs/commit/67ba7f92bbd7a378954895d96d9d7b05d5b646... Patch
- https://github.com/open5gs/open5gs/issues/3942 Exploit Issue Tracking
- https://github.com/tsiamoulis/vuln-research/tree/main/CVE-2025-55904 Exploit Third Party Advisory
Published: 17 Sep 2025 · Updated: 15 Jun 2026 · First seen: 7 Mar 2026