CVE-2025-43970

An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
mitreCNA
4.3 MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
VendorProductVersion
osrggobgp
𝑥
< 3.35.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gobgp
bullseye
postponed
bookworm
vulnerable
sid
3.36.0-2
fixed
trixie
3.36.0-2
fixed
Common Weakness Enumeration
References
https://github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0
https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0