9Bakabaka

**Name of the Vulnerable Software and Affected Versions** bird-lg-go versions prior to 1.4.5 **Description** The `apiHandler` and `webHandlerTelegramBot` functions process user-provided JSON payloads using `json.NewDecoder(r.Body).Decode(&request)` without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large or endless JSON payload over a single TCP connection. Since the Go JSON decoder attempts to allocate memory for the entire parsed structure, this can exhaust the host's physical RAM or container limits, triggering a runtime out of memory fatal error. This leads to the Linux OOM Killer terminating the daemon, resulting in a Remote Denial of Service (RDoS). **Recommendations** Update to version 1.4.5.