CVE-2025-43971
CVE Details
Visit the official vulnerability details page for CVE-2025-43971 to learn more.
Initial Publication
04/22/2025
Last Update
09/02/2025
Third Party Dependency
github.com/osrg/gobgp/v3
NIST CVE Summary
An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.
CVE Severity
Our Official Summary
A denial-of-service vulnerability in GoBGP (versions < 3.35.0) can cause the process to panic and crash when it parses a BGP “Software Version” capability where softwareVersionLen is zero. No authentication is required if an attacker can deliver a crafted BGP message to the vulnerable process.
There are no known instances of projects using these components such as kube-vip and calico being affected by this CVE, as this happens only under specific circumstances.
The risk of exploitation is considered low, as it requires both knowledge of the configuration and privileged access to the services using the BGP component. The impact if compromised is considered medium as it could affect cluster network and access depending on the configuration.
Upstream patches addressing these issues are available and will be adopted to remediate the vulnerabilities.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 08/18/2025 | Official summary revised: A denial-of-service vulnerability in GoBGP (versions < 3.35.0) can cause the process to panic and crash when it parses a BGP “Software Version” capability where softwareVersionLen is zero. No authentication is required if an attacker can deliver a crafted BGP message to the vulnerable process.There are no known instances of projects using these components such as kube-vip and calico being affected by this CVE, as this happens only under specific circumstances.The risk of exploitation is considered low, as it requires both knowledge of the configuration and privileged access to the services using the BGP component. The impact if compromised is considered medium as it could affect cluster network and access depending on the configuration.Upstream patches addressing these issues are available and will be adopted to remediate the vulnerabilities. |
| 08/12/2025 | Official summary revised: The vulnerability originates from a flaw in the pkg/packet/bgp/bgp.go file in GoBGP versions prior to 3.35.0. Specifically, if the softwareVersionLen field is set to zero, it can trigger a panic within the application, resulting in a crash.The risk of exploitation is low, as it requires privileged access and the ability to execute code within the container. Furthermore, the overall impact is limited due to the containerized environment, which restricts the available attack surface. Upstream patches addressing this issue are available and will be adopted to resolve the vulnerability. |
| 05/20/2025 | Status changed from Open to Ongoing |
| 05/15/2025 | Advisory severity revised to HIGH from |