VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 21, 2025· Updated Apr 21, 2025

CVE-2025-43973

CVE-2025-43973

Description

An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GoBGP before 3.35.0 has an insufficient input length check in pkg/packet/rtr/rtr.go that may lead to out-of-bounds slice access when parsing RTR messages.

Vulnerability

Description

An issue in GoBGP versions prior to 3.35.0, specifically in pkg/packet/rtr/rtr.go, fails to verify that the input length corresponds to a situation in which all bytes are available for an RTR (Resource Public Key Infrastructure) message. The flaw is present in the SplitRTR and ParseRTR functions: the existing length check only ensures the first few bytes can be read to obtain the message type and length, but does not guarantee that the full payload is present. Consequently, a truncated or malformed RTR message can cause the parser to access slice elements beyond the actual data length [1][4].

Attack

Vector and Exploitation

The vulnerability can be exploited remotely without authentication, as RTR messages are received over the network by GoBGP’s RTR client or server components. An attacker needs only to send a specially crafted, short RTR message (e.g., fewer bytes than required for the indicated payload length) to a vulnerable GoBGP instance. The insufficient input length check in SplitRTR (which sets advance and returns the data token) and ParseRTR (which reads the first byte to determine message type) can lead to processing of incomplete data [2][4]. Source code inspection confirms that the fix adds an explicit len(data) < 1 check before accessing data[1] [4].

Impact

Successful exploitation can cause a panic (nil pointer dereference or index out-of-range) in the Go runtime, resulting in a denial of service (DoS) condition for the GoBGP process. Since GoBGP is often used in critical routing infrastructure, such as Route Servers or Route Reflectors, this can disrupt BGP session handling and network stability. No evidence of remote code execution or data exfiltration is provided in the advisory [1][2].

Mitigation

The vulnerability is fixed in GoBGP version 3.35.0. Users should upgrade to this release or apply the commit 5693c58a4815cc6327b8d3b6980f0e5aced28abe [2][4]. No workarounds are documented; however, limiting exposure of the RTR service to trusted networks can reduce risk.

References
  1. Comparing v3.34.0...v3.35.0 · osrg/gobgp
  2. NVD - CVE-2025-43973
  3. pkg/packet/rtr: fix parser to check the input length · osrg/gobgp@5693c58

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/osrg/gobgpGo
>= 0
github.com/osrg/gobgp/v3Go
< 3.35.03.35.0

Affected products

32

Patches

1
5693c58a4815

pkg/packet/rtr: fix parser to check the input length

https://github.com/osrg/gobgpIvan GotovchitsFeb 7, 2025via ghsa
commit
1 file changed · +3 0
  • pkg/packet/rtr/rtr.go+3 0 modified
    @@ -364,6 +364,9 @@ func SplitRTR(data []byte, atEOF bool) (advance int, token []byte, err error) {
 }
 
 func ParseRTR(data []byte) (RTRMessage, error) {
+	if len(data) < 1 {
+		return nil, fmt.Errorf("not all bytes are available for RTR message")
+	}
 	var msg RTRMessage
 	switch data[1] {
 	case RTR_SERIAL_NOTIFY:

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.