Fatal error on incorrect base64 data in RRDP
Description
In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error and causes Routinator to exit. Worst case impact of this vulnerability is denial of service for the RPKI data that Routinator provides to routers. This may stop your network from validating route origins based on RPKI data. This vulnerability does not allow an attacker to manipulate RPKI data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In NLnet Labs Routinator 0.9.0-0.11.2, malformed base64 in RRDP files causes a fatal error and exit, leading to denial of service for RPKI data.
Vulnerability
Overview
CVE-2022-3029 is a denial-of-service vulnerability in NLnet Labs Routinator versions 0.9.0 through 0.11.2. The root cause is a mistake in error handling when processing RRDP snapshot and delta files: if the data is not correctly base64 encoded, Routinator treats it as a fatal error and exits instead of gracefully skipping or logging the malformed entry [1][2].
Exploitation
An attacker who can control or inject content into the RRDP repositories that Routinator fetches (e.g., via a man-in-the-middle attack or by compromising an RPKI repository) can trigger this vulnerability. No authentication is required beyond the ability to serve malicious RRDP data. The attacker does not need any special network position other than being able to influence the data Routinator downloads [2].
Impact
The immediate impact is a denial of service: Routinator exits, stopping the provision of RPKI data to routers. This prevents routers from validating route origins based on RPKI, potentially allowing invalid routes to be accepted. Importantly, the vulnerability does not allow an attacker to manipulate RPKI data itself [2].
Mitigation
The issue is fixed in Routinator version 0.11.3 [3]. Users should upgrade to this version or later. The fix modifies the error handling to no longer treat malformed base64 data as a fatal error [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
routinatorcrates.io | >= 0.9.0, < 0.11.3 | 0.11.3 |
Affected products
2- NLnet Labs/Routinatorv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m4vx-ccrf-w399ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-3029ghsaADVISORY
- github.com/NLnetLabs/routinator/pull/781/commits/c2e2476f28f09ea5ffb22d172d84fb4f8384d496ghsaWEB
- github.com/NLnetLabs/routinator/releases/tag/v0.11.3ghsaWEB
- www.nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txtghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.