VYPR
← All advisories
High severityNVD Advisory· Published Apr 21, 2025· Updated Apr 21, 2025

CVE-2025-43971

CVE-2025-43971

Description

An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GoBGP before 3.35.0 is vulnerable to a denial of service via crafted BGP messages causing a panic due to missing length validation.

Vulnerability

An issue was discovered in GoBGP before version 3.35.0, specifically in the pkg/packet/bgp/bgp.go file. The vulnerability allows attackers to cause a panic (crash) by supplying a zero value for softwareVersionLen when parsing BGP messages. This is a denial of service (DoS) issue that can be triggered remotely, as the malformed packet is processed during normal BGP session handling. The root cause is insufficient input validation on the length field [1][2].

Exploitation

The vulnerability is exploitable by sending a specially crafted BGP message that includes a zero length for the software version field. No authentication is required to exploit this flaw; an attacker can send the malicious packet as part of a BGP OPEN message. The issue affects both internal and external BGP sessions. Since BGP is typically deployed on core internet routers and route servers, the attack surface involves any peer that can send a crafted BGP message to a vulnerable GoBGP instance [1][3].

Impact

Successful exploitation causes a panic in the GoBGP process, leading to a crash and denial of service. This can disrupt BGP routing operations, causing route withdrawal and potential connectivity issues. Depending on the deployment, the impact can range from transient instability to prolonged outage if the process does not automatically restart. There is no data breach or code execution risk, but the service disruption is significant for critical network infrastructure [2][4].

Mitigation

GoBGP version 3.35.0 and later include a fix that validates the softwareVersionLen field and other length fields before processing. Users should upgrade to the latest stable release. Debian trixie and unstable (sid) have fixed packages; Debian bookworm is marked as vulnerable but not yet fixed in the stable release [1][4]. There are no known workarounds aside from restricting BGP peer access by IP address or deploying a firewall to filter malformed packets.

References
  1. Comparing v3.34.0...v3.35.0 · osrg/gobgp
  2. NVD - CVE-2025-43971
  3. GitHub - osrg/gobgp: BGP implemented in the Go Programming Language
  4. CVE-2025-43971

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/osrg/gobgp/v3Go
>= 3.11.0, < 3.35.03.35.0

Affected products

31

Patches

1
08a001e06d90

pkg/packet/bgp: fix SoftVersion capability parser to check the input length

https://github.com/osrg/gobgpIvan GotovchitsFeb 7, 2025via ghsa
commit
1 file changed · +1 1
  • pkg/packet/bgp/bgp.go+1 1 modified
    @@ -1094,7 +1094,7 @@ func (c *CapSoftwareVersion) DecodeFromBytes(data []byte) error {
 		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "Not all CapabilitySoftwareVersion bytes allowed")
 	}
 	softwareVersionLen := uint8(data[0])
-	if len(data[1:]) < int(softwareVersionLen) || softwareVersionLen > 64 {
+	if len(data[1:]) < int(softwareVersionLen) || softwareVersionLen > 64 || softwareVersionLen == 0 {
 		return NewMessageError(BGP_ERROR_OPEN_MESSAGE_ERROR, BGP_ERROR_SUB_UNSUPPORTED_CAPABILITY, nil, "invalid length of software version capablity")
 	}
 	c.SoftwareVersionLen = softwareVersionLen

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

5

News mentions

0

No linked articles in our index yet.