Medium severity6.2NVD Advisory· Published Mar 16, 2025· Updated Apr 15, 2026

CVE-2025-30077

Description

Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/onosproject/onos-lib-goGo	<= 0.10.28	—

Patches

55579ffad35f

add sanity checks to avoid panic in GetBitString when numBits is 0 (#296)

https://github.com/onosproject/onos-lib-goty3gxDec 9, 2024via ghsa

commit

1 file changed · +6 −1

pkg/asn1/aper/aper.go+6 −1 modified

@@ -7,10 +7,11 @@ package aper
 import (
 	"encoding/hex"
 	"fmt"
+	"reflect"
+
 	"github.com/onosproject/onos-lib-go/api/asn1/v1/asn1"
 	"github.com/onosproject/onos-lib-go/pkg/errors"
 	"github.com/onosproject/onos-lib-go/pkg/logging"
-	"reflect"
 )
 
 var log = logging.GetLogger("asn1", "aper")
@@ -39,6 +40,10 @@ func perBitLog(numBits uint64, byteOffset uint64, bitsOffset uint, value interfa
 
 // GetBitString is to get BitString with desire size from source byte array with bit offset
 func GetBitString(srcBytes []byte, bitsOffset uint, numBits uint) (dstBytes []byte, err error) {
+	if numBits == 0 {
+		return []byte{}, nil
+	}
+
 	bitsLeft := uint(len(srcBytes))*8 - bitsOffset
 	if numBits > bitsLeft {
 		err = fmt.Errorf("Get bits overflow, requireBits: %d, leftBits: %d", numBits, bitsLeft)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jrqj-6vq2-7r63ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-30077ghsaADVISORY
github.com/onosproject/onos-lib-go/commit/55579ffad35f59a5945c7861d944cd57a3b4b3d0ghsaWEB
github.com/onosproject/onos-lib-go/issues/295nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.403
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000