{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15555", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-02-02T19:02:29.323Z", "datePublished": "2026-02-04T20:32:07.223Z", "dateUpdated": "2026-04-07T15:49:09.962Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-07T15:49:09.962Z"}, "title": "Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "n/a", "product": "Open5GS", "versions": [{"version": "2.7.0", "status": "affected"}, {"version": "2.7.1", "status": "affected"}, {"version": "2.7.2", "status": "affected"}, {"version": "2.7.3", "status": "affected"}, {"version": "2.7.4", "status": "affected"}, {"version": "2.7.5", "status": "affected"}, {"version": "2.7.6", "status": "affected"}], "cpes": ["cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"], "modules": ["VoLTE Cx-Test"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-02-02T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-02-02T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-07T17:49:13.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Luca Jungnickel (Fraunhofer FOKUS)", "type": "finder"}, {"lang": "en", "value": "jungnickel (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "jungnickel (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/vuln/343795", "name": "VDB-343795 | Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/343795/cti", "name": "VDB-343795 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/741901", "name": "Submit #741901 | Open5GS v2.7.6 Buffer Over-read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4177", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4177#event-21256395700", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21", "tags": ["patch"]}, {"url": "https://github.com/open5gs/open5gs/", "tags": ["product"]}], "tags": ["x_open-source"]}, "adp": [{"references": [{"url": "https://github.com/open5gs/open5gs/issues/4177#event-21256395700", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T21:04:36.793143Z", "id": "CVE-2025-15555", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T21:04:40.608Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15555", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T21:04:36.793143Z"}}}], "references": [{"url": "https://github.com/open5gs/open5gs/issues/4177#event-21256395700", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T21:04:29.190Z"}}], "cna": {"tags": ["x_open-source"], "title": "Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow", "credits": [{"lang": "en", "type": "finder", "value": "Luca Jungnickel (Fraunhofer FOKUS)"}, {"lang": "en", "type": "reporter", "value": "jungnickel (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "jungnickel (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C"}}], "affected": [{"cpes": ["cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*"], "vendor": "n/a", "modules": ["VoLTE Cx-Test"], "product": "Open5GS", "versions": [{"status": "affected", "version": "2.7.0"}, {"status": "affected", "version": "2.7.1"}, {"status": "affected", "version": "2.7.2"}, {"status": "affected", "version": "2.7.3"}, {"status": "affected", "version": "2.7.4"}, {"status": "affected", "version": "2.7.5"}, {"status": "affected", "version": "2.7.6"}]}], "timeline": [{"lang": "en", "time": "2026-02-02T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-02-02T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-07T17:49:13.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/343795", "name": "VDB-343795 | Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/343795/cti", "name": "VDB-343795 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/741901", "name": "Submit #741901 | Open5GS v2.7.6 Buffer Over-read", "tags": ["third-party-advisory"]}, {"url": "https://github.com/open5gs/open5gs/issues/4177", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/issues/4177#event-21256395700", "tags": ["issue-tracking"]}, {"url": "https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21", "tags": ["patch"]}, {"url": "https://github.com/open5gs/open5gs/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "Stack-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-07T15:49:09.962Z"}}}, "cveMetadata": {"cveId": "CVE-2025-15555", "state": "PUBLISHED", "dateUpdated": "2026-04-07T15:49:09.962Z", "dateReserved": "2026-02-02T19:02:29.323Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-02-04T20:32:07.223Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C77332A-BAA3-4FE7-A237-B87F175C6F48", "versionEndIncluding": "2.7.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue."}, {"lang": "es", "value": "Una falla de seguridad ha sido descubierta en Open5GS hasta la versi\u00f3n 2.7.6. Afectada por esta vulnerabilidad es la funci\u00f3n hss_ogs_diam_cx_mar_cb del archivo src/hss/hss-cx-path.c del componente VoLTE Cx-Test. La manipulaci\u00f3n del argumento OGS_KEY_LEN resulta en desbordamiento de b\u00fafer basado en pila. El ataque puede ser lanzado remotamente. El parche se identifica como 54dda041211098730221d0ae20a2f9f9173e7a21. Un parche deber\u00eda aplicarse para remediar este problema."}], "id": "CVE-2025-15555", "lastModified": "2026-04-07T16:16:22.347", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-02-04T21:15:57.380", "references": [{"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/open5gs/open5gs/"}, {"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4177"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4177#event-21256395700"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/741901"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/343795"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/343795/cti"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/open5gs/open5gs/issues/4177#event-21256395700"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}], "source": "cna@vuldb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:05:12.392063+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch identified by commit 54dda041211098730221d0ae20a2f9f9173e7a21, which updates Open5GS to a version beyond 2.7.6.", "If the patch is not immediately available, upgrade to a newer Open5GS release that includes the fix, such as 2.7.7 or later.", "As an interim measure, limit or disable access to the VoLTE Cx\u2011Test HSS interface until the patch can be applied to reduce exposure."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Open5GS up to and including version 2.7.6 that deploy the VoLTE Cx\u2011Test component are impacted. The flaw resides in src/hss/hss\u2011cx\u2011path.c and applies to any deployment using the default configuration of Open5GS, with no further platform restrictions noted.", "description_and_impact": "The vulnerability is a stack\u2011based buffer overflow located in the hss_ogs_diam_cx_mar_cb function of the VoLTE Cx\u2011Test component. By manipulating the OGS_KEY_LEN argument, an attacker can overflow the stack, corrupting control data and enabling execution of arbitrary code or denial of service. This exploit can compromise confidentiality, integrity, and availability of the affected service.", "risk_and_exploitability": "The CVSS score of 6.9 denotes medium severity. EPSS is reported as less than 1\u202f%, indicating a very low likelihood of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, exploitation can be carried out remotely, likely via crafted Diameter requests to the HSS interface.*"}}}}, "created": "2026-02-05T11:39:12.543167+00:00", "updated": "2026-04-22T20:15:20.527750+00:00", "vendors": ["open5gs", "open5gs$PRODUCT$open5gs"]}