Infinite length chain of RRDP repositories
Description
NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. In RPKI, a CA can choose the RRDP repository it wishes to publish its data in. By continuously generating a new child CA that only consists of another CA using a different RRDP repository, a malicious CA can create a chain of CAs of de-facto infinite length. Routinator prior to version 0.10.2 did not contain a limit on the length of such a chain and will therefore continue to process this chain forever. As a result, the validation run will never finish, leading to Routinator continuing to serve the old data set or, if in the initial validation run directly after starting, never serve any data at all.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Routinator before 0.10.2 has no limit on CA chain depth, allowing a malicious CA to create an infinite RRDP repository chain, causing validation to hang and denying service.
Vulnerability
Routinator prior to version 0.10.2 does not impose a limit on the depth of a Certificate Authority (CA) chain during RRDP repository validation [1][3]. In RPKI, a CA can select which RRDP repository publishes its data. By repeatedly generating a child CA that itself points to another RRDP repository, an attacker can create a chain of de-facto infinite length. Routinator will process this chain indefinitely, causing the validation run to never complete [1][3].
Exploitation
An attacker with the ability to act as a malicious CA can construct a chain of CAs pointing to different RRDP repositories, each new CA being a child of the previous one, creating an infinite loop. No special network position or authentication is required beyond the ability to publish valid RPKI objects. Routinator will follow the chain until it exhausts resources or runs indefinitely, never finishing the validation cycle [1][3].
Impact
Successful exploitation causes Routinator to never complete a validation run. As a result, the validator continues to serve stale data (if previously started) or, on initial startup, fails to serve any data at all [1][3]. This effectively denies service to Relying Parties that depend on up-to-date RPKI data for routing decisions.
Mitigation
NLnet Labs released Routinator version 0.10.2 on 2021-11-09, which introduces a configurable max-ca-depth variable that limits the CA chain length and prevents infinite processing [2][3]. Users should upgrade to 0.10.2 or later. No workarounds exist for prior versions. This CVE is not listed on the CISA KEV catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
routinatorcrates.io | < 0.10.2 | 0.10.2 |
Affected products
2- NLnet Labs/Routinatorv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-m3x9-623g-35c4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43172ghsaADVISORY
- github.com/NLnetLabs/routinator/pull/665/commits/2f1c47378e3439cb89e084cdad6b759bbc8a72b8ghsaWEB
- www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txtghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.