PatchSiren cyber security CVE debrief
CVE-2026-45047 xddxdd CVE debrief
CVE-2026-45047 is a HIGH severity (CVSS 7.5) uncontrolled resource consumption vulnerability in bird-lg-go, a BIRD looking glass implementation written in Go. Published 2026-05-27, the flaw affects versions prior to 1.4.5. The apiHandler and webHandlerTelegramBot functions process user-provided JSON payloads using json.NewDecoder without enforcing a maximum read size. An unauthenticated remote attacker can stream an extremely large or endless JSON payload over a single TCP connection, causing Go's JSON decoder to allocate excessive memory and exhaust host RAM or container limits, resulting in an unrecoverable fatal runtime out-of-memory error. This represents a classic denial-of-service condition via resource exhaustion (CWE-400). The vulnerability is remediated in version 1.4.5.
- Vendor
- xddxdd
- Product
- bird-lg-go
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations operating bird-lg-go looking glass instances, particularly those exposed to untrusted networks or the public internet. Network operators using BIRD route servers with web-based diagnostic interfaces. Security teams responsible for Go-based web services handling JSON input. Infrastructure teams managing containerized deployments where memory limits may trigger cascading failures.
Technical summary
The vulnerability exists in the JSON request handling of bird-lg-go's apiHandler and webHandlerTelegramBot functions. These handlers use json.NewDecoder(r.Body).Decode(&request) without implementing size limits on the incoming request body. Go's json.Decoder will attempt to parse and allocate memory for the entire JSON structure as it is streamed. An attacker can exploit this by maintaining a single TCP connection and streaming a massive or infinite JSON payload (e.g., gigabytes of array padding or deeply nested objects). This causes unbounded memory allocation, leading to OOM kills or fatal runtime errors that terminate the application. The attack requires no authentication and has low complexity, making it trivial to execute. The fix in version 1.4.5 presumably implements request body size limits or streaming controls to prevent unbounded memory consumption.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade bird-lg-go to version 1.4.5 or later to remediate this vulnerability.
- If immediate patching is not feasible, implement network-level controls to restrict access to bird-lg-go API endpoints to trusted sources only.
- Consider deploying resource limits (memory caps, request timeouts, and connection limits) at the container or reverse proxy level to mitigate memory exhaustion risks.
- Monitor for anomalous large inbound JSON payloads or sustained connections to apiHandler and webHandlerTelegramBot endpoints as potential indicators of exploitation attempts.
- Review application logs for fatal runtime out-of-memory errors that may indicate active or attempted exploitation.
Evidence notes
Vulnerability description sourced from NVD record and GitHub Security Advisory GHSA-39qr-rc93-vhqm. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. CWE-400 (Uncontrolled Resource Consumption) assigned by [email protected]. Fix version 1.4.5 confirmed in advisory.
Official resources
-
CVE-2026-45047 CVE record
CVE.org
-
CVE-2026-45047 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27