CVE-2025-43970

EUVD-2025-12350
An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
mitreCNA
4.3 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
osrggobgp
𝑥
< 3.35.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gobgp
bookworm
no-dsa
bullseye
postponed
forky
3.36.0-2
fixed
sid
3.36.0-2
fixed
trixie
3.36.0-2
fixed
Common Weakness Enumeration
References
https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0
https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0