GoBGP double-tap: two 7.3 parser bugs that can kill your BGP sessions

An attacker can remotely send a crafted AIGP (Accumulated IGP) BGP attribute that triggers a buffer overflow in GoBGP's packet parser. This could crash the daemon or potentially allow code execution. No authentication is needed, so any peer, or anything spoofing a peer, could fire this off.

Included because

unauthenticated; remotely exploitable; buffer overflow; CVSS 7.3

Affected estate

Any system running osrg GoBGP versions up to and including 4.3.0.

How to check

Run `gobgpd --version` or inspect your Go module dependency for github.com/osrg/gobgp version.

Action

Upgrade GoBGP to version 4.4.0.

Urgency

Patch this week

Why it matters

A buffer overflow in the AIGP attribute parser can be triggered by a remote peer, risking daemon crash or worse.

Source

NVD

Prefect's WebSocket endpoint at /api/events/in has no authentication. An attacker can connect remotely and inject events without credentials. A public exploit is already available, so expect scanning for this soon if it hasn't started already.

Included because

unauthenticated; remotely exploitable; public exploit available; CVSS 7.3

Affected estate

Self-hosted PrefectHQ Prefect instances version 3.6.13 and earlier with the API reachable over the network.

How to check

Run `prefect version` on your Prefect server host, or check your container image tag. Confirm whether /api/events/in is network-accessible.

Action

Upgrade Prefect to version 3.6.14. If you can't upgrade immediately, restrict network access to the /api/events/in WebSocket endpoint.

Urgency

Patch within 24 hours

Why it matters

Missing authentication on an event ingestion endpoint lets anyone inject arbitrary events into your workflow orchestration platform.

Source

NVD

MindsDB's BYOM (Bring Your Own Model) engine handler lets a remote attacker upload arbitrary files through the proc_wrapper.py exec function with no restrictions. A public exploit exists, and the vendor has not responded to disclosure. There is no patch available right now.

Included because

unauthenticated; remotely exploitable; unrestricted upload; public exploit available; no vendor patch; CVSS 7.3

Affected estate

MindsDB installations version 26.01 and earlier with the BYOM engine handler enabled.

How to check

Check your MindsDB version in the admin console or via `pip show mindsdb`. Confirm whether the BYOM handler is active in your configuration.

Action

Restrict all network access to MindsDB. Disable the BYOM engine handler if not in use. Watch for a vendor patch.

Urgency

Patch immediately

Why it matters

Unrestricted file upload via a remote endpoint can lead to full system compromise. No patch exists and a public exploit is circulating.

Source

NVD

The JWT authentication filter in yudao-cloud (Ruoyi-Vue-Pro) can be bypassed by manipulating the mock-token parameter. An attacker can remotely authenticate as any user without valid credentials. A public exploit is available, and the vendor has not responded to disclosure. No patch exists.

Included because

unauthenticated; remotely exploitable; authentication bypass; public exploit available; no vendor patch; CVSS 7.3

Affected estate

YunaiV yudao-cloud (Ruoyi-Vue-Pro) deployments version 3.8.0 and earlier.

How to check

Check your yudao-cloud version in your deployment configuration or pom.xml. Search your codebase for JwtAuthenticationTokenFilter.java and the mock-token parameter.

Action

Remove the application from public-facing networks. Disable or strip the mock-token parameter handling from JwtAuthenticationTokenFilter.java.

Urgency

Patch immediately

Why it matters

Full authentication bypass lets any remote attacker impersonate users, including admins. A public exploit makes this trivially weaponizable.

Source

NVD