GoBGP

GoBGP version 4.4.0 is vulnerable to a remote denial-of-service attack where a malformed BGP UPDATE message triggers a nil pointer dereference, crashing the GoBGP process.

A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.