Skip to main content
Version: latest

CVE-2025-43971

CVE Details

Visit the official vulnerability details page for CVE-2025-43971 to learn more.

Initial Publication

04/22/2025

Last Update

09/04/2025

Third Party Dependency

github.com/osrg/gobgp/v3

NIST CVE Summary

An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.

CVE Severity

7.5

Our Official Summary

The vulnerability originates from a flaw in the pkg/packet/bgp/bgp.go file in GoBGP versions prior to 3.35.0. Specifically, if the softwareVersionLen field is set to zero, it can trigger a panic within the application, resulting in a crash.

The risk of exploitation is low, as it requires privileged access and the ability to execute code within the container. Furthermore, the overall impact is limited due to the containerized environment, which restricts the available attack surface. Upstream patches addressing this issue are available and will be adopted to resolve the vulnerability.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.7.16⚠️ Impacted✅ No Impact⚠️ Impacted⚠️ Impacted
4.6.41⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
08/12/2025Official summary revised: The vulnerability originates from a flaw in the pkg/packet/bgp/bgp.go file in GoBGP versions prior to 3.35.0. Specifically, if the softwareVersionLen field is set to zero, it can trigger a panic within the application, resulting in a crash.The risk of exploitation is low, as it requires privileged access and the ability to execute code within the container. Furthermore, the overall impact is limited due to the containerized environment, which restricts the available attack surface. Upstream patches addressing this issue are available and will be adopted to resolve the vulnerability.
05/20/2025Status changed from Open to Ongoing
05/15/2025Advisory severity revised to HIGH from