CVE-2025-43971

GoBGP Panic: The Zero-Byte Assassin

Alon Barad
Alon Barad
Software Engineer

Jan 12, 2026·6 min read·22 visits

Executive Summary (TL;DR)

GoBGP, a popular BGP implementation, crashes when parsing a specific optional capability in the BGP OPEN message. By setting the 'Software Version' length to zero, an attacker forces a slice bounds out of range panic (data[1:0]). This requires no authentication if the attacker can reach the BGP port, resulting in a complete teardown of BGP sessions and potential routing outages. Fixed in version 3.35.0.

A critical Denial of Service (DoS) vulnerability in GoBGP allows remote attackers to crash the BGP daemon by sending a malformed BGP OPEN message. The crash is triggered by a Go runtime panic due to an improper slice operation when parsing the Software Version capability.

Official Patches

GoBGPRelease Notes for v3.35.0

Fix Analysis (1)

Technical Appendix

CVSS Score
8.6/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Probability
0.03%
Top 93% most exploited

Affected Systems

GoBGP < 3.35.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
GoBGP
OSRG
< 3.35.03.35.0
AttributeDetail
CWE IDCWE-129
Attack VectorNetwork
CVSS Score8.6 (High)
EPSS Score0.00026
ImpactDenial of Service (DoS)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
T1499Endpoint Denial of Service
Impact
CWE-129
Improper Validation of Array Index

Improper Validation of Array Index

Known Exploits & Detection

Mayhem SecurityOriginal discovery via fuzzing

Vulnerability Timeline

Fix committed to GitHub
2025-02-07
CVE Published
2025-04-21