CVE-2025-43971: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in GoBGP versions before 3.35.0, identified as CVE-2025-43971. The issue resides in the pkg/packet/bgp/bgp.go file where a zero value for softwareVersionLen can cause a panic in the application. This vulnerability was disclosed on April 20, 2025 (MITRE, NVD).

The vulnerability exists in the SoftVersion capability parser where the softwareVersionLen parameter is not properly validated. Specifically, when processing the software version capability, the code fails to check if softwareVersionLen is zero, which leads to an invalid slice operation data[1:c.SoftwareVersionLen] causing a runtime panic. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a denial of service condition by triggering a panic in the GoBGP application. The high CVSS score of 8.6 indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, potentially affecting the availability of BGP routing services (NVD).

The vulnerability has been fixed in GoBGP version 3.35.0. The fix involves adding an additional check to validate that softwareVersionLen is not zero in the capability parser. Users are advised to upgrade to version 3.35.0 or later to address this security issue (GitHub Compare).