CVE-2025-43971:
A vulnerability in GoBGP before 3.35.0 allows a panic to be triggered in the BGP packet handling code when a zero value is provided for softwareVersionLen, an off-by-one error (CWE-193).
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.5HighA numerical rating that indicates how dangerous this vulnerability is.
- Published Date:Apr 21, 2025
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.1
- EPSS Percentile:30%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:3.6
- Confidentiality Impact:NONE
- Integrity Impact:NONE
- Availability Impact:HIGH
Description Preview
A vulnerability in GoBGP before 3.35.0 allows a panic to be triggered in the BGP packet handling code when a zero value is provided for softwareVersionLen, an off-by-one error (CWE-193).
Overview
GoBGP prior to 3.35.0 is affected by an off-by-one error in BGP packet handling that panics when softwareVersionLen is zero, potentially crashing the GoBGP process. All versions less than 3.35.0 are affected.
Remediation
- Upgrade GoBGP to version 3.35.0 or newer where the issue is fixed. If upgrading is not feasible, apply strict input validation to ensure softwareVersionLen is never zero and review exposure of BGP sessions. Refer to the referenced commit and upgrade notes for the exact fix.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
Low
