Skip to main content
Version: latest

CVE-2025-43971

CVE Details

Visit the official vulnerability details page for CVE-2025-43971 to learn more.

Initial Publication

04/22/2025

Last Update

09/02/2025

Third Party Dependency

github.com/osrg/gobgp/v3

NIST CVE Summary

An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.

CVE Severity

7.5

Our Official Summary

A denial-of-service vulnerability in GoBGP (versions < 3.35.0) can cause the process to panic and crash when it parses a BGP “Software Version” capability where softwareVersionLen is zero. No authentication is required if an attacker can deliver a crafted BGP message to the vulnerable process.

There are no known instances of projects using these components such as kube-vip and calico being affected by this CVE, as this happens only under specific circumstances.

The risk of exploitation is considered low, as it requires both knowledge of the configuration and privileged access to the services using the BGP component. The impact if compromised is considered medium as it could affect cluster network and access depending on the configuration.

Upstream patches addressing these issues are available and will be adopted to remediate the vulnerabilities.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.7.16⚠️ Impacted✅ No Impact⚠️ Impacted⚠️ Impacted
4.6.41⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
08/18/2025Official summary revised: A denial-of-service vulnerability in GoBGP (versions < 3.35.0) can cause the process to panic and crash when it parses a BGP “Software Version” capability where softwareVersionLen is zero. No authentication is required if an attacker can deliver a crafted BGP message to the vulnerable process.There are no known instances of projects using these components such as kube-vip and calico being affected by this CVE, as this happens only under specific circumstances.The risk of exploitation is considered low, as it requires both knowledge of the configuration and privileged access to the services using the BGP component. The impact if compromised is considered medium as it could affect cluster network and access depending on the configuration.Upstream patches addressing these issues are available and will be adopted to remediate the vulnerabilities.
08/12/2025Official summary revised: The vulnerability originates from a flaw in the pkg/packet/bgp/bgp.go file in GoBGP versions prior to 3.35.0. Specifically, if the softwareVersionLen field is set to zero, it can trigger a panic within the application, resulting in a crash.The risk of exploitation is low, as it requires privileged access and the ability to execute code within the container. Furthermore, the overall impact is limited due to the containerized environment, which restricts the available attack surface. Upstream patches addressing this issue are available and will be adopted to resolve the vulnerability.
05/20/2025Status changed from Open to Ongoing
05/15/2025Advisory severity revised to HIGH from