CVE-2026-45047

Description

### Summary The `apiHandler` (and similarly `webHandlerTelegramBot`) processes user-provided JSON payloads by directly using `json.NewDecoder(r.Body).Decode(&request)` without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable `fatal error: runtime: out of memory`. This causes the Linux OOM Killer to instantly terminate the entire `bird-lg-go` daemon, resulting in a severe Remote Denial of Service (RDoS). ### Details In `api.go`: ```go func apiHandler(w http.ResponseWriter, r *http.Request) { var request apiRequest // VULNERABILITY: No http.MaxBytesReader protection before JSON decode err := json.NewDecoder(r.Body).Decode(&request) // ...

How to fix CVE-2026-45047

To remediate CVE-2026-45047, upgrade the affected package to a fixed version below.

• —upgrade to 0.0.0-20260507060110-0ff87024cb9e or later

Is CVE-2026-45047 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.0.0-20260507060110-0ff87024cb9e

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-45047
• PATCHgithub.com/xddxdd/bird-lg-go
• WEBgithub.com/xddxdd/bird-lg-go/commit/0ff87024cb9ed01fc5f5fdc6f4603fce4c123922
• WEBgithub.com/xddxdd/bird-lg-go/releases/tag/v1.4.5