Possible path traversal when storing RRDP responses
Description
NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature that allows users to store the content of responses received for RRDP requests. The location of these stored responses is constructed from the URL of the request. Due to insufficient sanitation of the URL, it is possible for an attacker to craft a URL that results in the response being stored outside of the directory specified for it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in NLnet Labs Routinator's optional keep-rrdp-responses feature allows stored responses outside intended directory due to insufficient URL sanitization.
Vulnerability
CVE-2023-39916 is a path traversal vulnerability in the optional, off-by-default keep-rrdp-responses feature of Routinator, an RPKI validator. The feature, introduced in Routinator 0.9.0, allows users to store the content of responses received for RRDP requests. The file path for storing these responses is constructed from the URL of the request, but insufficient sanitization of the URL enables an attacker to craft a malicious URL that results in the response being written outside the designated directory [1][2][4].
Exploitation
An attacker can exploit this by sending a specially crafted RRDP request to a Routinator instance that has the keep-rrdp-responses option enabled. The feature is disabled by default, so only users who explicitly enable it either in the configuration file or via the command line are affected [2][4]. The attacker does not require authentication if the Routinator instance is reachable over the network, as the vulnerability is triggered during normal RRDP communication.
Impact
Successful exploitation allows an attacker to write arbitrary data to an arbitrary location on the file system, potentially leading to overwriting sensitive files, creating malicious files, or causing other forms of compromise. The impact is limited by the fact that the attacker can only control the content of the stored response (which is the RRDP response) and the path traversal is confined to the ability to write outside the intended directory [1][4].
Mitigation
The vulnerability is fixed in Routinator 0.12.2, which properly validates the request URI before storing the response. For users on the 0.14.x series, the fix is included in 0.15.0, which removes the feature entirely. Users unable to upgrade should disable the keep-rrdp-responses feature as a workaround [1][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
routinatorcrates.io | >= 0.9.0, < 0.12.2 | 0.12.2 |
Affected products
2- NLnet Labs/Routinatorv5Range: 0.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5rxf-fqch-7vqpghsaADVISORY
- nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txtghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-39916ghsaADVISORY
- github.com/NLnetLabs/routinator/pull/892ghsaWEB
- github.com/NLnetLabs/routinator/releases/tag/v0.12.2ghsaWEB
News mentions
0No linked articles in our index yet.