Description
Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
Published: 2026-06-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Routinator does not properly validate the module component of rsync URIs, allowing a knowledgeable attacker to include the substring '..' and traverse outside of the intended cache directory. This flaw (CWE‑22) can expose the entire Routinator rsync cache to read access.

Affected Systems

All NLnet Labs Routinator releases prior to version 0.15.2 are affected. The fix is present in version 0.15.2 and all subsequent releases.

Risk and Exploitability

The CVSS score of 8.3 denotes a high severity, indicating a significant potential for confidentiality loss if the cache is accessed. The vulnerability requires that an attacker be able to influence the module component of rsync URIs that the Routinator instance accepts. No public exploit or KEV listing is available, and EPSS information is not provided, so the likelihood of exploitation remains uncertain. Resolving the issue by updating to 0.15.2 removes the flaw, but until then, crafted rsync URLs containing '..' in the module name can be used to read arbitrary files within the cache directory.

Generated by OpenCVE AI on June 8, 2026 at 15:51 UTC.

Remediation

Vendor Solution

This issue is fixed in 0.15.2 and all later versions.

OpenCVE Recommended Actions

  • Upgrade to Routinator 0.15.2 or later.
  • Ensure that any rsync URIs configured for the Routinator instance come from trusted sources and do not contain '..' sequences; validate or cleanse the module name if possible.
  • Restrict file system permissions on the cache directory so that only the Routinator process can access it.

Generated by OpenCVE AI on June 8, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-33mj-99mg-8g73 Routinator has cache path traversal when processing the module component of rsync URIs
History

Fri, 12 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nlnetlabs:routinator:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 08 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs routinator
Vendors & Products Nlnetlabs
Nlnetlabs routinator

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache.
Title Routinator cache path traversal using rogue rsync URIs
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nlnetlabs Routinator
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-08T15:38:59.530Z

Reserved: 2026-05-28T08:28:56.664Z

Link: CVE-2026-49233

cve-icon Vulnrichment

Updated: 2026-06-08T15:38:56.002Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T15:16:47.693

Modified: 2026-06-12T01:33:56.950

Link: CVE-2026-49233

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T17:00:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')