Skip to main content

bird-lg-go EUVDEUVD-2026-32583

| CVE-2026-45047 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-11 https://github.com/xddxdd/bird-lg-go GHSA-39qr-rc93-vhqm
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:48 vuln.today
Analysis Generated
May 11, 2026 - 16:48 vuln.today
CVE Published
May 11, 2026 - 16:17 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

The apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory.

This causes the Linux OOM Killer to instantly terminate the entire bird-lg-go daemon, resulting in a severe Remote Denial of Service (RDoS).

Details

In api.go:

go
func apiHandler(w http.ResponseWriter, r *http.Request) {
    var request apiRequest
    // VULNERABILITY: No http.MaxBytesReader protection before JSON decode
    err := json.NewDecoder(r.Body).Decode(&request)
    // ...

AnalysisAI

Remote attackers can instantly crash bird-lg-go frontends by sending unbounded JSON payloads to the unauthenticated /api or /telegram endpoints. The application's JSON decoder allocates memory without size limits, allowing multi-gigabyte payloads to trigger out-of-memory fatalities that force the Linux OOM Killer to terminate the daemon. Patch available in commit 0ff87024 (v1.4.5) implements a 100KB request body limit. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy remote exploitation requiring no authentication, though impact is limited to availability disruption.

Technical ContextAI

Bird-lg-go is a Go-based Looking Glass frontend for BIRD routing daemon, providing web and Telegram bot interfaces for network diagnostics. The vulnerability stems from Go's encoding/json package behavior when used with NewDecoder(r.Body).Decode() without prior size constraints. Go's JSON decoder reads the entire input stream into memory before parsing, making it vulnerable to resource exhaustion attacks when processing attacker-controlled HTTP request bodies. The affected code in api.go and telegram_bot.go lacks http.MaxBytesReader wrapping, a standard Go idiom for enforcing request size limits. This is an instance of CWE-400 (Uncontrolled Resource Consumption), specifically memory exhaustion via unbounded input processing. The affected package is pkg:go/github.com_xddxdd_bird-lg-go, impacting all versions prior to the patched commit.

RemediationAI

Upgrade to bird-lg-go version 1.4.5 or later, which incorporates the fix from commit 0ff87024cb9ed01fc5f5fdc6f4603fce4c123922 available at https://github.com/xddxdd/bird-lg-go/commit/0ff87024cb9ed01fc5f5fdc6f4603fce4c123922. The patch implements http.MaxBytesReader with a 100KB limit on request bodies before JSON decoding in both apiHandler and webHandlerTelegramBot functions, returning HTTP 413 (Request Entity Too Large) for oversized payloads. If immediate patching is not feasible, implement compensating controls at the reverse proxy or load balancer layer by enforcing a maximum request body size of 100KB on paths /api and /telegram/* (e.g., nginx client_max_body_size directive). This mitigation prevents oversized requests from reaching the vulnerable code but requires infrastructure changes and may not protect direct-to-application traffic. Note that rate limiting alone is insufficient since a single malicious request can cause the crash. Deploy automatic service restart mechanisms if not already present to minimize downtime from potential exploitation during the patching window.

Share

EUVD-2026-32583 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy