To address security risks in the 5G core network’s service-based architecture—arising from modular design and HTTP/REST API communication—this paper proposes FivGeeFuzz, a grammar-guided fuzzing framework. FivGeeFuzz is the first to automatically derive semantics-aware test grammars directly from official 3GPP API specifications; it further supports OAuth access control analysis and introduces the novel “Cross-Service Token Attack,” exposing critical unauthorized access vulnerabilities caused by OAuth token misuse across services. Integrating grammar-based fuzzing, automated vulnerability detection, and manual validation, FivGeeFuzz discovers eight previously unknown vulnerabilities in free5GC—including one critical cross-service token vulnerability—all confirmed by the official maintainers, with seven already patched. This work establishes a reproducible, semantics-driven paradigm for security testing of 5G core network service interfaces.

5G marks a major departure from previous cellular architectures, by transitioning from a monolithic design of the core network to a Service-Based Architecture (SBA) where services are modularized as Network Functions (NFs) which communicate with each other via standard-defined HTTP-based APIs called Service-Based Interfaces (SBIs). These NFs are deployed in private and public cloud infrastructure, and an access control framework based on OAuth restricts how they communicate with each other and obtain access to resources. Given the increased vulnerabilities of clouds to insiders, it is important to study the security of the 5G Core services for vulnerabilities that allow attackers to use compromised NFs to obtain unauthorized access to resources. We present FivGeeFuzz, a grammar-based fuzzing framework designed to uncover security flaws in 5G core SBIs. FivGeeFuzz automatically derives grammars from 3GPP API specifications to generate malformed, unexpected, or semantically inconsistent inputs, and it integrates automated bug detection with manual validation and root-cause analysis. We evaluate our approach on free5GC, the only open-source 5G core implementing Release 17-compliant SBIs with an access control mechanism. Using FivGeeFuzz, we discovered 8 previously unknown vulnerabilities in free5GC, leading to runtime crashes, improper error handling, and unauthorized access to resources, including a very severe attack we call Cross-Service Token Attack. All bugs were confirmed by the free5GC team, 7 have already been patched, and the remaining one has a patch under development.