CVE-2026-45047
7.5 HIGHbird-lg-go is a BIRD looking glass in Go
Published: 2026-05-27 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-400
Description
bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-12325 — Denial-of-service in the Graphics: ImageLib component (6.5 MEDIUM)
- CVE-2026-12319 — Denial-of-service in the Audio/Video: Playback component (6.5 MEDIUM)
- CVE-2026-50889 — An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending ... (7.5 HIGH)
- CVE-2026-50882 — An issue in the /api/v0/pastes endpoint of anna-is-cute paste v0.1.1 allows attackers to cause a Denial of Service (DoS) via a crafted PO... (7.5 HIGH)
- CVE-2026-50879 — An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a ... (7.5 HIGH)