Denial-of-Service Vulnerability in omec-project UPF by omec-project
CVE-2025-65563

7.5HIGH

Key Information:

Vendor: omec-project
Status: UPF
Vendor: CVE Published:; 18 December 2025

🔔 Create omec-project Vulnerability Alert

What is CVE-2025-65563?

A denial-of-service vulnerability exists in the omec-project UPF component (upf-epc/pfcpiface) prior to version 2.1.3-dev. This issue arises when the UPF receives a PFCP Association Setup Request that lacks the mandatory NodeID Information Element. Instead of validating the message, the association setup handler attempts to dereference a nil pointer, resulting in a panic that causes the UPF process to crash. An attacker capable of sending PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint can exploit this vulnerability to repeatedly crash the UPF, severely disrupting user-plane services.

References

https://github.com/omec-project/upf/issues/955

https://github.com/omec-project/upf/pull/963

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Nov 18, 2025

CVE-2025-65563 Data

JSON