CVE-2025-43970: GoBGP does not properly check the input length

April 21, 2025

An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes (depending on the address family).

References

github.com/advisories/GHSA-hqhq-hp5x-xp3w
github.com/osrg/gobgp
github.com/osrg/gobgp/commit/5153bafbe8dbe1a2f02a70bbf0365e98b80e47b0
github.com/osrg/gobgp/compare/v3.34.0...v3.35.0
nvd.nist.gov/vuln/detail/CVE-2025-43970

Code Behaviors & Features

Detect and mitigate CVE-2025-43970 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →