Moderate severityNVD Advisory· Published Nov 11, 2021· Updated Sep 16, 2024
OctoRPKI crashes when processing GZIP bomb returned via malicious repository
CVE-2021-3912
Description
OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cloudflare/cfrpkiGo | < 1.4.0 | 1.4.0 |
Affected products
1- Range: unspecified
Patches
1648658b1b176VULN-8282: Prevent resource exhaustion by enforcing a 100mg limit on downloaded files
2 files changed · +10 −3
cmd/octorpki/octorpki.go+2 −1 modified@@ -442,7 +442,8 @@ func (s *state) MainRRDP(pSpan opentracing.Span) { sentry.CaptureException(err) }) - if s.RRDPFailover { + // GHSA-g9wh-3vrx-r7hg: Do not process responses that are too large + if s.RRDPFailover && err.Error() != "http: request body too large" { log.Errorf("Error when processing %v (for %v): %v. Will add to rsync.", path, rsync, err) rSpan.LogKV("event", "rrdp failure", "type", "failover to rsync", "message", err) } else {
sync/lib/rrdp.go+8 −2 modified@@ -6,12 +6,15 @@ import ( "encoding/xml" "errors" "fmt" - "github.com/getsentry/sentry-go" "io/ioutil" "net/http" "strings" + + "github.com/getsentry/sentry-go" ) +const ResponseLimit int64 = 100000000 // (100mb) + type RRDPFetcher interface { GetXML(string) (string, error) } @@ -40,7 +43,10 @@ func (f *HTTPFetcher) GetXML(url string) (string, error) { return "", NewRRDPErrorFetch(req, errors.New(fmt.Sprintf("status is %d", res.StatusCode))) } - data, err := ioutil.ReadAll(res.Body) + // GHSA-g9wh-3vrx-r7hg: Do not process responses that are excessively large + r := http.MaxBytesReader(nil, res.Body, ResponseLimit) + data, err := ioutil.ReadAll(r) + if err != nil { return "", err }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-g9wh-3vrx-r7hgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3912ghsaADVISORY
- www.debian.org/security/2022/dsa-5041ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/cloudflare/cfrpkighsaPACKAGE
- github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacadghsaWEB
- github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hgghsax_refsource_MISCWEB
- pkg.go.dev/vuln/GO-2022-0253ghsaWEB
News mentions
0No linked articles in our index yet.