Miggo Logo
Miggo Vulnerability Database
CVE-2025-43973

CVE-2025-43973: GoBGP does not verify that the input length

6.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-43973
GHSA ID
GHSA-c5jg-wr5v-2wp2
EPSS Score
0.04353%
CWE
CWE-193
Published
4/21/2025
Updated
4/21/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/osrg/gobgpgo< 3.35.0
github.com/osrg/gobgp/v3go< 3.35.03.35.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description clearly states that pkg/packet/rtr/rtr.go does not verify input length for RTR messages. The provided commit 5693c58a4815cc6327b8d3b6980f0e5aced28abe directly addresses this by adding a length check at the beginning of the ParseRTR function in that file. This function is responsible for parsing RTR messages, and the lack of this check before the patch made it vulnerable to processing malformed or truncated messages, potentially leading to a denial of service or other issues. The patch itself is the primary evidence for identifying ParseRTR as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *o**P ***or* *.**.*. pk*/p**k*t/rtr/rtr.*o *o*s not v*ri*y t**t t** input l*n*t* *orr*spon*s to * situ*tion in w*i** *ll *yt*s *r* *v*il**l* *or *n RTR m*ss***.

Reasoning

T** vuln*r**ility **s*ription *l**rly st*t*s t**t `pk*/p**k*t/rtr/rtr.*o` *o*s not v*ri*y input l*n*t* *or RTR m*ss***s. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y ***in* * l*n*t* ****k *t t** ***innin*