CVE-2025-66719 — Free5gc NRF is vulnerable to scope validation bypass via maliciously crafted tar

Description

An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope.

How to fix CVE-2025-66719

To remediate CVE-2025-66719, upgrade the affected package to a fixed version below.

Go/github.com/free5gc/nrf—upgrade to 1.4.1 or later

Is CVE-2025-66719 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2025-66719.

Affected packages (1)

from 0, < 1.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-66719
PATCHgithub.com/free5gc/nrf
WEBgithub.com/free5gc/free5gc/issues/733
WEBgithub.com/free5gc/free5gc/issues/736
WEBgithub.com/free5gc/nrf/pull/73