OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash).

## Patches

## For more information
If you have any questions or comments about this advisory email us at [email protected]

Affected Packages

Go github.com/cloudflare/cfrpki

Affected versions: 0 (fixed in 1.4.0)

Related CVEs

CVE-2021-3912

Key Information

GHSA ID

GHSA-g9wh-3vrx-r7hg

Published

November 10, 2021 8:39 PM

Last Modified

November 10, 2021 6:19 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/cloudflare/cfrpki

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 17, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.