Skip to main content

Routinator CVE-2021-43174

HIGH
Improperly Controlled Sequential Memory Allocation (CWE-1325)
2021-11-09 sep@nlnetlabs.nl
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 09, 2021 - 17:15 nvd
HIGH 7.5

DescriptionNVD

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element.

AnalysisAI

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-1325. NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element. Affected products include: Nlnetlabs Routinator, Debian Debian Linux.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-17366 HIGH POC
7.4 Aug 05

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability

CVE-2026-49235 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Docu

CVE-2026-49232 HIGH
8.7 Jun 08

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a larg

CVE-2026-49233 HIGH
8.3 Jun 08

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync U

CVE-2026-49234 HIGH
8.2 Jun 08

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon

CVE-2024-1622 HIGH
7.5 Feb 26

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too q

CVE-2023-39915 HIGH
7.5 Sep 13

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects.

CVE-2022-3029 HIGH
7.5 Sep 13

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and

CVE-2021-43173 HIGH
7.5 Nov 09

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not ans

CVE-2021-43172 HIGH
7.5 Nov 09

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to ne

CVE-2021-41531 HIGH
7.5 Sep 21

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length

CVE-2023-39916 MEDIUM
6.5 Sep 13

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible

Share

CVE-2021-43174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy