CVE-2025-0638

CVE-2025-0638 affects Routinator, an open-source Resource Public Key Infrastructure (RPKI) validator. The vulnerability arises because the initial code parsing the manifest does not check the content of file names, while subsequent code assumes validation has occurred and panics when encountering illegal characters, resulting in a crash of the Routinator process. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-1286 (Improper Validation of Syntactic Correctness of Input).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves providing a maliciously crafted manifest containing file names with illegal characters, causing the Routinator instance to crash and resulting in a denial-of-service condition due to high availability impact.

The official advisory from NLnet Labs, available at https://www.nlnetlabs.nl/downloads/routinator/CVE-2025-0638.txt, provides further details on the issue.