CVE-2025-65563

Published: Dec 18, 2025

Modified: Dec 19, 2025

PUBLISHED

Description

A denial-of-service vulnerability exists in the omec-project UPF (component upf-epc/pfcpiface) up to at least version upf-epc-pfcpiface:2.1.3-dev. When the UPF receives a PFCP Association Setup Request that is missing the mandatory NodeID Information Element, the association setup handler dereferences a nil pointer instead of validating the message, causing a panic and terminating the UPF process. An attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF and disrupt user-plane services.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/omec-project/upf/issues/955

https://github.com/omec-project/upf/pull/963

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-65563

Description

Affected Products

References