CVE-2025-43973
CVE Details
Visit the official vulnerability details page for CVE-2025-43973 to learn more.
Initial Publication
04/22/2025
Last Update
09/04/2025
Third Party Dependency
github.com/osrg/gobgp/v3
NIST CVE Summary
An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.
CVE Severity
Our Official Summary
This is a critical vulnerability identified in GoBGP versions prior to 3.35.0. The vulnerability stems from the lack of appropriate length verification in the RTR message parsing functionality. In order to exploit this vulnerability, attacker will need to gain access to the kubernetes cluster running the 3rd party images. The risk of exploitation is low as this requires an authenticated user with escalated privileges. Impact of exploitation is low as the attack surface is restricted to the container. Go version will be upgraded to fix the vulnerabilities.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
| 4.6.41 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 05/15/2025 | Advisory severity revised to CRITICAL from |
| 05/15/2025 | Status changed from Open to Ongoing |