CVE-2025-43971 – This vulnerability in GoBGP allows attackers to... (How to Fix)

Q: What is the severity of CVE-2025-43971?

CVE-2025-43971 has a CVSS score of 8.6 (HIGH). This vulnerability in GoBGP allows attackers to trigger a denial of service by sending specially crafted BGP packets with a zero value for softwareVersionLen, causing the application to panic and crash. All systems running vulnerable versions of GoBGP are affected, particularly network infrastructure using GoBGP for BGP routing.

📋 TL;DR

This vulnerability in GoBGP allows attackers to trigger a denial of service by sending specially crafted BGP packets with a zero value for softwareVersionLen, causing the application to panic and crash. All systems running vulnerable versions of GoBGP are affected, particularly network infrastructure using GoBGP for BGP routing.

💻 Affected Systems

Products:

GoBGP

Versions: All versions before 3.35.0

Operating Systems: All platforms running GoBGP

Default Config Vulnerable: ⚠️ Yes

Notes: Any GoBGP instance accepting BGP connections is vulnerable regardless of configuration.

📦 What is this software?

Gobgp by Osrg

View all CVEs affecting Gobgp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of BGP routing, causing network outages and potential cascading failures in dependent systems.

🟠

Likely Case

Denial of service affecting BGP routing functionality, requiring service restart and potentially causing temporary network instability.

🟢

If Mitigated

Minimal impact if proper network segmentation and input validation are in place to filter malicious BGP packets.

🌐 Internet-Facing: HIGH - BGP peers are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal BGP peers could be exploited by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malformed BGP packet, which is straightforward for attackers with BGP peer access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.35.0

Vendor Advisory: https://github.com/osrg/gobgp/commit/08a001e06d90e8bcc190084c66992f46f62c0986

Restart Required: Yes

Instructions:

1. Stop GoBGP service. 2. Update to version 3.35.0 or later using package manager or source compilation. 3. Restart GoBGP service.

🔧 Temporary Workarounds

BGP Packet Filtering

all

Use network firewalls or BGP session filters to block malformed BGP packets from untrusted sources.

Restrict BGP Peer Access

all

Limit BGP connections to trusted peers only using access control lists.

🧯 If You Can't Patch

Implement strict BGP peer authentication and limit connections to known trusted peers only.
Deploy network monitoring to detect and alert on GoBGP service crashes or restarts.

🔍 How to Verify

Check if Vulnerable:

Check GoBGP version: if version is below 3.35.0, the system is vulnerable.

Check Version:

gobgpd --version

Verify Fix Applied:

Confirm GoBGP version is 3.35.0 or higher and monitor for crashes after applying patch.

📡 Detection & Monitoring

Log Indicators:

GoBGP panic logs
Unexpected service termination
BGP session resets

Network Indicators:

Unusual BGP packet patterns
BGP session flaps from specific peers

SIEM Query:

source="gobgp.log" AND (panic OR crash OR "unexpected EOF")

📊 Metadata

CVE ID: CVE-2025-43971

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-193

EPSS Score: 0.03% exploit probability (8.8th percentile)

Published: April 21, 2025

Last Updated: May 8, 2025

🔗 References

https://github.com/osrg/gobgp/commit/08a001e06d90e8bcc190084c66992f46f62c0986 Patch
https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0 Patch,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43971, you might also want to check these: