Skip to main content

Routinator

13 CVEs product

Monthly

CVE-2026-49235 Cargo HIGH PATCH GHSA This Week

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.

Denial Of Service Routinator
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-49234 Cargo HIGH PATCH GHSA This Week

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon by sending a specifically crafted non-UTF-8 string in the select-asn query parameter to the /api/v1/origins HTTP endpoint. The flaw only impacts deployments that expose the API to untrusted networks, and no public exploit has been identified at time of analysis. CVSS 4.0 base score is 8.2 driven by high availability impact to both the vulnerable component and downstream RPKI consumers.

Denial Of Service Routinator
NVD VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-49233 Cargo HIGH PATCH GHSA This Week

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync URIs whose module component contains '..' sequences, enabling read/write access across the entire Routinator rsync cache filesystem. The flaw is network-reachable and requires no authentication, and no public exploit identified at time of analysis. CVSS 4.0 of 8.3 reflects high integrity and availability impact with an attack requirement (AT:P) reducing it from critical.

Path Traversal Routinator
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-49232 HIGH This Week

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Routinator
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2024-1622 HIGH This Week

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator Fedora
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-39916 Cargo MEDIUM PATCH This Month

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible path traversal vulnerability in the optional, off-by-default. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Routinator
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-39915 HIGH This Week

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Routinator
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2022-3029 Cargo HIGH PATCH This Week

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Routinator
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2021-43174 Cargo HIGH PATCH This Week

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Routinator Debian Linux
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-43173 HIGH This Week

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator Debian Linux
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-43172 Cargo HIGH PATCH This Week

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-41531 HIGH This Week

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2020-17366 HIGH POC This Week

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Denial Of Service Routinator
NVD GitHub
CVSS 3.1
7.4
EPSS
0.7%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in NLnet Labs Routinator allows remote attackers to crash the RPKI validator by serving a crafted Document Type Definition (DTD) inside RRDP repository content. Exploitation requires no authentication or user interaction (CVSS 4.0 8.7, VA:H), and no public exploit identified at time of analysis. A successful crash halts RPKI relying-party processing, which can degrade route origin validation for networks that depend on Routinator output.

Denial Of Service Routinator
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in NLnet Labs Routinator (an RPKI Relying Party software) allows remote attackers to crash the daemon by sending a specifically crafted non-UTF-8 string in the select-asn query parameter to the /api/v1/origins HTTP endpoint. The flaw only impacts deployments that expose the API to untrusted networks, and no public exploit has been identified at time of analysis. CVSS 4.0 base score is 8.2 driven by high availability impact to both the vulnerable component and downstream RPKI consumers.

Denial Of Service Routinator
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Path traversal in NLnet Labs Routinator allows remote attackers to escape the rsync cache directory by supplying rsync URIs whose module component contains '..' sequences, enabling read/write access across the entire Routinator rsync cache filesystem. The flaw is network-reachable and requires no authentication, and no public exploit identified at time of analysis. CVSS 4.0 of 8.3 reflects high integrity and availability impact with an attack requirement (AT:P) reducing it from critical.

Path Traversal Routinator
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service in NLnet Labs Routinator allows remote unauthenticated attackers to crash the daemon by opening a large number of HTTP or RTR connections, exhausting file descriptors and triggering an unrecoverable exit. Only deployments exposing the HTTP or RTR server to untrusted networks are affected. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Routinator
NVD VulDB
EPSS 1% CVSS 7.5
HIGH This Week

Due to a mistake in error checking, Routinator will terminate when an incoming RTR connection is reset by the peer too quickly after opening. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator Fedora
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

NLnet Labs’ Routinator 0.9.0 up to and including 0.12.1 as well as 0.14.0 up to and including 0.14.2 contains a possible path traversal vulnerability in the optional, off-by-default. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Routinator
NVD
EPSS 1% CVSS 7.5
HIGH This Week

NLnet Labs' Routinator up to and including version 0.12.1 may crash when trying to parse certain malformed RPKI objects. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Routinator
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In NLnet Labs Routinator 0.9.0 up to and including 0.11.2, due to a mistake in error handling, data in RRDP snapshot and delta files that isn’t correctly base 64 encoded is treated as a fatal error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Routinator
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Routinator Debian Linux
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In NLnet Labs Routinator prior to 0.10.2, a validation run can be delayed significantly by an RRDP repository by not answering but slowly drip-feeding bytes to keep the connection alive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator Debian Linux
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRDP repositories of infinite length causing it to never finish a validation run. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator
NVD
EPSS 1% CVSS 7.5
HIGH This Week

NLnet Labs Routinator prior to 0.10.0 produces invalid RTR payload if an RPKI CA uses too large values in the max-length parameter in a ROA. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Routinator
NVD
EPSS 1% CVSS 7.4
HIGH POC This Week

An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Denial Of Service Routinator
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy