{"id":"CVE-2025-8804","details":"A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ngap_build_downlink_nas_transport of the component AMF. The manipulation leads to reachable assertion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.7.6 is able to address this issue. The identifier of the patch is bca0a7b6e01d254f4223b83831162566d4626428. It is recommended to upgrade the affected component.","modified":"2026-04-12T22:06:18.671998Z","published":"2025-08-10T10:15:26.647Z","references":[{"type":"WEB","url":"https://github.com/ZHENGHAOHELLO/BugReport/blob/main/CVE-2025-8804"},{"type":"WEB","url":"https://vuldb.com/?submit.625698"},{"type":"ADVISORY","url":"https://github.com/open5gs/open5gs/releases/tag/v2.7.6"},{"type":"ADVISORY","url":"https://vuldb.com/?id.319333"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.626124"},{"type":"REPORT","url":"https://github.com/open5gs/open5gs/issues/3950#issuecomment-3034693457"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.319333"},{"type":"REPORT","url":"https://github.com/open5gs/open5gs/issues/3950"},{"type":"FIX","url":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428"},{"type":"EVIDENCE","url":"https://github.com/user-attachments/files/21030801/newdata_for_ngap.zip"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open5gs/open5gs","events":[{"introduced":"0"},{"fixed":"d9d3abdd480be96fac3bc8a997e83446648763ca"},{"fixed":"bca0a7b6e01d254f4223b83831162566d4626428"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.7.6"}]}}],"versions":["v0.1.0","v0.1.1","v0.2.0","v0.3.0","v0.3.1","v0.3.10","v0.3.2","v0.3.3","v0.3.4","v0.3.5","v0.3.6","v0.3.8","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.5.0","v0.5.1","v0.5.2","v1.0.0","v1.1.0","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.3.0","v2.0.0","v2.0.18","v2.0.22","v2.1.0","v2.1.1","v2.1.3","v2.1.4","v2.1.5","v2.1.7","v2.2.0","v2.2.1","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.2","v2.3.6","v2.4.0","v2.4.1","v2.4.3","v2.4.4","v2.4.5","v2.4.7","v2.4.8","v2.4.9","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.6","v2.7.0","v2.7.1","v2.7.2","v2.7.5"],"database_specific":{"vanir_signatures":[{"id":"CVE-2025-8804-0eb6dfc9","signature_type":"Line","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/ngap-build.h"},"deprecated":false,"digest":{"line_hashes":["301301722341441134369934511735618371841","227279355900403902120015462553070683343","116167711291504658741956617460775935456","34177483276213920227428266241007379562"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2025-8804-2218a62f","signature_type":"Line","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/ngap-build.c"},"deprecated":false,"digest":{"line_hashes":["103066522144633649659127578203973929729","57478437868522128278949508410204416360","292032095480174028970965658099307690308","76390899831670878565023154127682789982","61121834613189196417690955056490179428","116596755780812649443698859232289699953","217883840415240883678772169613922344026","14772995887168985947444587145736174496","60080903495183531472130685489130822258","298505349624669491536601128350824664525","337871275205122053615402045404744975644","47942751713861348293783652115358128486","234113638110693580048003601156577554649","55399714024352066514342941033910504059","87992821553591089695307161649552275069","26015059188587744116552127458849815391","10997632916059781039592122936261624123"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2025-8804-28a5d035","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_identity_request"},"deprecated":false,"digest":{"function_hash":"13275324431308204516180805901335972456","length":901},"signature_version":"v1"},{"id":"CVE-2025-8804-3cdeb219","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_send_pdu_session_release_command"},"deprecated":false,"digest":{"function_hash":"58547867474689981043962518261900791716","length":1544},"signature_version":"v1"},{"id":"CVE-2025-8804-3dd0af03","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_de_registration_request"},"deprecated":false,"digest":{"function_hash":"307237499806495744807842117348547113016","length":980},"signature_version":"v1"},{"id":"CVE-2025-8804-3f6c9c86","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_service_reject"},"deprecated":false,"digest":{"function_hash":"294378566889558424493060662034995007531","length":396},"signature_version":"v1"},{"id":"CVE-2025-8804-47d3e1f7","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_security_mode_command"},"deprecated":false,"digest":{"function_hash":"62408917282634700524957742784458599457","length":932},"signature_version":"v1"},{"id":"CVE-2025-8804-51cded23","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_de_registration_accept"},"deprecated":false,"digest":{"function_hash":"288180678918662743785878832766217164343","length":888},"signature_version":"v1"},{"id":"CVE-2025-8804-56897a49","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_authentication_reject"},"deprecated":false,"digest":{"function_hash":"142789318740999955986696156178366679272","length":642},"signature_version":"v1"},{"id":"CVE-2025-8804-64064fc7","signature_type":"Line","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.h"},"deprecated":false,"digest":{"line_hashes":["187869461855556078967565128298265416326","232527834016363379977252207178161242469","70871252115164703417613588410095589237","82689461601566459091559201102225505688"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2025-8804-64412b29","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/ngap-build.c","function":"ngap_build_downlink_nas_transport"},"deprecated":false,"digest":{"function_hash":"141994838680753283561600595291010714841","length":3855},"signature_version":"v1"},{"id":"CVE-2025-8804-6d6b68e0","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_authentication_request"},"deprecated":false,"digest":{"function_hash":"120400608293292056791916399497074717657","length":980},"signature_version":"v1"},{"id":"CVE-2025-8804-7765cc23","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_gmm_status"},"deprecated":false,"digest":{"function_hash":"202524391693938359194316873193433215345","length":596},"signature_version":"v1"},{"id":"CVE-2025-8804-7ec8cbdd","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_registration_reject"},"deprecated":false,"digest":{"function_hash":"195830185038115236823600054276272929900","length":1015},"signature_version":"v1"},{"id":"CVE-2025-8804-86469872","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_configuration_update_command"},"deprecated":false,"digest":{"function_hash":"200596469535166428942657329858057042056","length":1387},"signature_version":"v1"},{"id":"CVE-2025-8804-90769495","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_to_downlink_nas_transport"},"deprecated":false,"digest":{"function_hash":"309545004912713770859305619733673083986","length":349},"signature_version":"v1"},{"id":"CVE-2025-8804-97e06c06","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_dl_nas_transport"},"deprecated":false,"digest":{"function_hash":"188743423418359180334536398415306480557","length":826},"signature_version":"v1"},{"id":"CVE-2025-8804-e5895de9","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_registration_accept"},"deprecated":false,"digest":{"function_hash":"270963552850717326991922733915063733836","length":1947},"signature_version":"v1"},{"id":"CVE-2025-8804-ef9ce7e2","signature_type":"Function","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c","function":"nas_5gs_send_service_accept"},"deprecated":false,"digest":{"function_hash":"305064595896850915785708471212593360802","length":1304},"signature_version":"v1"},{"id":"CVE-2025-8804-efce1cc9","signature_type":"Line","source":"https://github.com/open5gs/open5gs/commit/bca0a7b6e01d254f4223b83831162566d4626428","target":{"file":"src/amf/nas-path.c"},"deprecated":false,"digest":{"line_hashes":["164055862463337788506784402018943653764","31750508807629650582502715241166852896","242595268017335642244919102805964639427","166316189787939930591456735281424801794","75354683872150820669418055439382330163","19740584175652593799223953087051575832","17618440364701227904767988131076852314","326412212821496515395433250588101529362","130000642623036394344917887715999568183","228795714477950205649784476233509177904","200685461994284975939672710879175659582","233761424158756534711369550526002844391","201165506216576388584177511897679924229","125644707174026615174932181657926865808","49961785103703648010071944532629992922","104316883457162730861941369729319405445","61275406454689586810950452097805438214","172654189134729223568886821577003296936","29123967785457964151896175480347244738","158279441640265489640389352110946899669","123378026503810668894353973027620558418","329319625015862892213353422556580624213","49961785103703648010071944532629992922","104316883457162730861941369729319405445","61275406454689586810950452097805438214","172654189134729223568886821577003296936","49961785103703648010071944532629992922","150459950046217594965807256186767637371","275183659355037737634912249381737608596","145768043249851207244815333599151397331","189356896262350488486450595239129915244","85230973419148610392356656867235960312","64455160154409519901730412199381160733","172654189134729223568886821577003296936","60056286847482173147960325337111470684","183711975368391301665598756625459697450","145575992616141193282331908536449109202","172654189134729223568886821577003296936","278328830338669645276576902482955166811","309563687840392098738613800886337649566","209032684585256182176274466811782368178","172654189134729223568886821577003296936","52120506254916426385332667302798454259","333768329024178671829040224690940785489","210882388609745865705161552254571954818","172654189134729223568886821577003296936","203377467504577144814790779329200974564","68144201990459379654673985451135690477","322425517768929091392281060544314678355","172654189134729223568886821577003296936","48942395196399716209468555234548543470","288070503229190896382802009835089628592","99514555958749023219809028366044437636","172654189134729223568886821577003296936","88574150361310813921278568555483890135","330835514866386097781833110478340733776","339094785391682940196392673665991271817","297056630592663620027742397511591258951","225874131848798171712621402149868133948","104316883457162730861941369729319405445","61275406454689586810950452097805438214","172654189134729223568886821577003296936","265561494064380463522036537980422289339","104316883457162730861941369729319405445","61275406454689586810950452097805438214","172654189134729223568886821577003296936"],"threshold":0.9},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T22:06:18Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8804.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}