CVE-2025-43970

An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/43xxx/CVE-2025-43970.json",
    "cna_assigner": "mitre",
    "cwe_ids": [
        "CWE-1284"
    ]
}

References

Affected packages

Git / github.com/osrg/gobgp

Affected ranges

Type

GIT

Repo

https://github.com/osrg/gobgp

Events

Introduced

Fixed

5365453707a9f9bcbeb2cc4cff24803ffcc9bbaa

Fixed

5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.35.0"
        }
    ],
    "cpe": "cpe:2.3:a:osrg:gobgp:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v1.*

v1.0

v1.1

v1.10

v1.11

v1.12

v1.13

v1.14

v1.15

v1.16

v1.17

v1.18

v1.19

v1.2

v1.20

v1.21

v1.22

v1.23

v1.24

v1.25

v1.26

v1.27

v1.28

v1.29

v1.3

v1.30

v1.31

v1.32

v1.33

v1.4

v1.5

v1.6

v1.7

v1.8

v1.9

v2.*

v2.0.0

v2.1.0

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.30.0

v2.31.0

v2.32.0

v2.33.0

v2.34.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v2.8.0

v2.9.0

v3.*

v3.0.0

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.1.0

v3.10.0

v3.11.0

v3.12.0

v3.13.0

v3.14.0

v3.15.0

v3.16.0

v3.17.0

v3.19.0

v3.2.0

v3.20.0

v3.21.0

v3.22.0

v3.23.0

v3.24.0

v3.25.0

v3.26.0

v3.27.0

v3.28.0

v3.29.0

v3.3.0

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.34.0

v3.4.0

v3.5.0

v3.6.0

v3.7.0

v3.8.0

v3.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-43970.json"