### Impact
Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer SIT, ATHENE, who discovered and reported this vulnerability.

### Specific Go Packages Affected
github.com/cloudflare/cfrpki/cmd/octorpki

### Patches
This issue is fixed in v1.4.4

### Workarounds
None.

Affected Packages

Go github.com/cloudflare/cfrpki

Affected versions: 0 (fixed in 1.4.4)

Related CVEs

CVE-2022-3616

Key Information

GHSA ID

GHSA-pmw9-567p-68pc

Published

October 31, 2022 6:45 PM

Last Modified

October 2, 2023 11:15 AM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/cloudflare/cfrpki

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.