CVE-2025-43972: 
NixOS vulnerability analysis and mitigation

A buffer overflow vulnerability was discovered in GoBGP versions before 3.35.0, identified as CVE-2025-43972. The vulnerability exists in the pkg/packet/bgp/bgp.go flowspec parser where an attacker can cause a crash by sending fewer than 20 bytes in a certain context (GoBGP Commit). The issue was discovered and disclosed in April 2025 (NVD).

The vulnerability stems from insufficient input validation in the flowspec parser. Specifically, while the code checks for a minimum of 8 bytes, it fails to validate that the input contains the required 20 bytes needed for proper IPv6 FlowSpec processing. This oversight can lead to a buffer overflow condition when processing malformed packets. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause the GoBGP application to crash, leading to a denial of service condition. The impact is particularly concerning for network infrastructure that relies on GoBGP for BGP routing functionality (NVD).

The vulnerability has been fixed in GoBGP version 3.35.0. Users are advised to upgrade to this version or later. The fix includes additional input validation to check for the required minimum length of 20 bytes before processing IPv6 FlowSpec data (GoBGP Release).