Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory.
This causes the Linux OOM Killer to instantly terminate the entire bird-lg-go daemon, resulting in a severe Remote Denial of Service (RDoS).
Details
In api.go:
func apiHandler(w http.ResponseWriter, r *http.Request) {
var request apiRequest
// VULNERABILITY: No http.MaxBytesReader protection before JSON decode
err := json.NewDecoder(r.Body).Decode(&request)
// ...AnalysisAI
Remote attackers can instantly crash bird-lg-go frontends by sending unbounded JSON payloads to the unauthenticated /api or /telegram endpoints. The application's JSON decoder allocates memory without size limits, allowing multi-gigabyte payloads to trigger out-of-memory fatalities that force the Linux OOM Killer to terminate the daemon. Patch available in commit 0ff87024 (v1.4.5) implements a 100KB request body limit. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy remote exploitation requiring no authentication, though impact is limited to availability disruption.
Technical ContextAI
Bird-lg-go is a Go-based Looking Glass frontend for BIRD routing daemon, providing web and Telegram bot interfaces for network diagnostics. The vulnerability stems from Go's encoding/json package behavior when used with NewDecoder(r.Body).Decode() without prior size constraints. Go's JSON decoder reads the entire input stream into memory before parsing, making it vulnerable to resource exhaustion attacks when processing attacker-controlled HTTP request bodies. The affected code in api.go and telegram_bot.go lacks http.MaxBytesReader wrapping, a standard Go idiom for enforcing request size limits. This is an instance of CWE-400 (Uncontrolled Resource Consumption), specifically memory exhaustion via unbounded input processing. The affected package is pkg:go/github.com_xddxdd_bird-lg-go, impacting all versions prior to the patched commit.
RemediationAI
Upgrade to bird-lg-go version 1.4.5 or later, which incorporates the fix from commit 0ff87024cb9ed01fc5f5fdc6f4603fce4c123922 available at https://github.com/xddxdd/bird-lg-go/commit/0ff87024cb9ed01fc5f5fdc6f4603fce4c123922. The patch implements http.MaxBytesReader with a 100KB limit on request bodies before JSON decoding in both apiHandler and webHandlerTelegramBot functions, returning HTTP 413 (Request Entity Too Large) for oversized payloads. If immediate patching is not feasible, implement compensating controls at the reverse proxy or load balancer layer by enforcing a maximum request body size of 100KB on paths /api and /telegram/* (e.g., nginx client_max_body_size directive). This mitigation prevents oversized requests from reaching the vulnerable code but requires infrastructure changes and may not protect direct-to-application traffic. Note that rate limiting alone is insufficient since a single malicious request can cause the crash. Deploy automatic service restart mechanisms if not already present to minimize downtime from potential exploitation during the patching window.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32583
GHSA-39qr-rc93-vhqm