gzip transfer encoding caused out-of-memory crash
Description
NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Routinator 0.9.0 through 0.10.1, an RRDP repository can cause an out-of-memory crash using gzip-compressed XML with excessive whitespace.
Vulnerability
NLnet Labs Routinator versions 0.9.0 through 0.10.1 support gzip transfer encoding when querying RRDP repositories. RRDP uses XML, which allows arbitrary amounts of whitespace in the encoded data. The gzip compression scheme compresses such whitespace extremely well, resulting in very small compressed files that decompress into extremely large XML documents. Routinator runs out of memory when parsing this inflated input data while waiting for the next XML element, leading to a crash [1][2].
Exploitation
An attacker controlling an RRDP repository can serve a small gzip-compressed XML file containing massive whitespace. When Routinator (versions 0.9.0 through 0.10.1) fetches and decompresses this resource, the resulting expanded XML exhausts available memory during parsing. No special network position or authentication is required beyond the ability to act as an RRDP repository that the victim instance queries [1][2].
Impact
Successful exploitation causes an out-of-memory crash of the Routinator process. This denial-of-service condition prevents the RPKI validator from completing its validation run, leading to continued serving of stale RPKI data or, if the crash occurs during initial startup, no data being served at all [1][2].
Mitigation
Routinator version 0.10.2 fixes this vulnerability by removing support for gzip transfer encoding in RRDP requests. Users should upgrade to 0.10.2 or later. There is no known workaround for unpatched versions. The vulnerability was disclosed on 2021-11-09 and is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
routinatorcrates.io | >= 0.9.0, < 0.10.2 | 0.10.2 |
Affected products
2- NLnet Labs/Routinatorv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6mv9-qcx2-3hh3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43174ghsaADVISORY
- www.debian.org/security/2022/dsa-5041ghsavendor-advisoryx_refsource_DEBIANWEB
- www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txtghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.