Routinator
by Nlnetlabs
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49235 | Hig | 0.50 | — | — | Jun 8, 2026 | When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes. | ||
| CVE-2026-49232 | Hig | 0.50 | — | — | Jun 8, 2026 | Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR… | ||
| CVE-2025-0638 | Hig | 0.49 | 7.5 | 0.00 | Jan 22, 2025 | The initial code parsing the manifest did not check the content of the file names yet later code assumed that it was checked and panicked when encountering illegal characters, resulting in a crash of Routinator. | ||
| CVE-2026-49233 | Hig | 0.47 | — | — | Jun 8, 2026 | Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator… | ||
| CVE-2024-1622 | 0.00 | — | 0.00 | Feb 26, 2024 | Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening. | |||
| CVE-2023-39915 | 0.00 | — | 0.00 | Sep 13, 2023 | NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914. | |||
| CVE-2021-43173 | 0.00 | — | 0.00 | Nov 9, 2021 | In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable… | |||
| CVE-2021-41531 | 0.00 | — | 0.00 | Sep 21, 2021 | NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation. | |||
| CVE-2020-17366 | 0.00 | — | 0.00 | Aug 5, 2020 | An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509… |
- risk 0.50cvss —epss —
When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes.
- risk 0.50cvss —epss —
Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR…
- risk 0.49cvss 7.5epss 0.00
The initial code parsing the manifest did not check the content of the file names yet later code assumed that it was checked and panicked when encountering illegal characters, resulting in a crash of Routinator.
- risk 0.47cvss —epss —
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator…
- CVE-2024-1622Feb 26, 2024risk 0.00cvss —epss 0.00
Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening.
- CVE-2023-39915Sep 13, 2023risk 0.00cvss —epss 0.00
NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. This is due to insufficient input checking in the bcder library covered by CVE-2023-39914.
- CVE-2021-43173Nov 9, 2021risk 0.00cvss —epss 0.00
In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. This can be used to effectively stall validation. While Routinator has a configurable…
- CVE-2021-41531Sep 21, 2021risk 0.00cvss —epss 0.00
NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. This will lead to RTR clients such as routers to reject the RPKI data set, effectively disabling Route Origin Validation.
- CVE-2020-17366Aug 5, 2020risk 0.00cvss —epss 0.00
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509…