Loading HuntDB...

GHSA-6mv9-qcx2-3hh3

GitHub Security Advisory

Memory exhaustion in routinator

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

NLnet Labs Routinator versions 0.9.0 up to and including 0.10.1, support the gzip transfer encoding when querying RRDP repositories. This encoding can be used by an RRDP repository to cause an out-of-memory crash in these versions of Routinator. RRDP uses XML which allows arbitrary amounts of white space in the encoded data. The gzip scheme compresses such white space extremely well, leading to very small compressed files that become huge when being decompressed for further processing, big enough that Routinator runs out of memory when parsing input data waiting for the next XML element.

Affected Packages

crates.io routinator
Affected versions: 0.9.0 (fixed in 0.10.2)

Related CVEs

Key Information

GHSA ID
GHSA-6mv9-qcx2-3hh3
Published
November 11, 2021 12:55 AM
Last Modified
November 15, 2021 2:48 PM
CVSS Score
7.5 /10
Primary Ecosystem
crates.io
Primary Package
routinator
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.