Description
bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5.
Published: 2026-05-27
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in bird‑lg‑go allows an unauthenticated attacker to submit an unbounded JSON payload to the apiHandler (and the similar webHandlerTelegramBot). The Go standard library json decoder reads the entire payload into memory, so a gigantic or endless stream exhausts host RAM and triggers a fatal runtime out‑of‑memory error that terminates the process. The crash is unrecoverable and renders the service unavailable until restarted, constituting a denial of service. The CVSS score of 7.5 indicates a high severity for this issue.

Affected Systems

Vendor xddxdd, product bird‑lg‑go. Versions earlier than 1.4.5 are affected; all releases 1.4.5 and later contain the mitigation.

Risk and Exploitability

Because the flaw accepts requests without authentication and can be triggered over a single TCP connection, it is straightforward to weaponize. The absence of request size limits means any client can craft a payload large enough to exhaust memory, even from a low‑privilege host. Despite the lack of an EPSS score, the high CVSS assessment and the fact that the vulnerability is publicly documented imply a non‑negligible exploitation risk. The vulnerability is not listed in CISA KEV, but operators should treat it as a significant threat.

Generated by OpenCVE AI on May 27, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bird‑lg‑go to version 1.4.5 or newer.
  • Wrap the request body in http.MaxBytesReader or equivalent to bound the JSON decoder’s input size before it is processed.
  • Implement API rate limiting or timeout mechanisms to prevent sustained connection bursts and monitor for abrupt OOM crashes to trigger alerts.

Generated by OpenCVE AI on May 27, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-39qr-rc93-vhqm Bird-lg-go has a Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding
History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5.
Title bird-lg-go: Fatal Out-of-Memory (OOM) Denial of Service via Unbounded JSON Decoding
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:03:10.363Z

Reserved: 2026-05-08T18:07:27.341Z

Link: CVE-2026-45047

cve-icon Vulnrichment

Updated: 2026-05-27T18:03:07.174Z

cve-icon NVD

Status : Received

Published: 2026-05-27T18:16:24.150

Modified: 2026-05-27T18:16:24.150

Link: CVE-2026-45047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:30:35Z

Weaknesses