Description
When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.

This only affects users who allow API access from untrusted networks.
Published: 2026-06-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when a specially crafted non‑UTF‑8 ASN string is supplied as the select‑asn query parameter to the /api/v1/origins API endpoint. This input causes the Routinator process to crash, leading to a denial of service for users running the affected version of the software. The flaw is a classic example of improper input validation (CWE‑20).

Affected Systems

Affected is the NLnet Labs Routinator tool. Versions prior to 0.15.2 are impacted, as the issue was fixed in 0.15.2 and subsequent releases. The problem only manifests when API access is enabled and exposed to networks that are not trusted, so owners who restrict API traffic to internal or trusted networks are excluded from the risk.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is rated high severity. The EPSS score is <1%, indicating a very low probability of exploitation. It is not listed in CISA's KEV catalog, but the flaw can be exploited by an attacker who can send HTTP requests to the vulnerable endpoint from an untrusted network. The exploitation would result in a crash without giving the attacker further privileges or data. Therefore, the risk is confined to availability loss for the affected system, yet the potential impact on a public‑facing API warrants swift remediation.

Generated by OpenCVE AI on June 12, 2026 at 02:23 UTC.

Remediation

Vendor Solution

This issue is fixed in 0.15.2 and all later versions.

OpenCVE Recommended Actions

  • Upgrade Routinator to version 0.15.2 or later, which contains the fix.
  • If immediate upgrade is not possible, limit API exposure by configuring firewall rules or nlNetLabs' routing configuration to allow API traffic only from trusted IP ranges.
  • As an interim measure, enforce strict input validation on the select‑asn query parameter by rejecting non‑UTF‑8 data or empty strings before passing to the API handler.

Generated by OpenCVE AI on June 12, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc6q-cwcj-3vh9 Routinator crashes when sending a maliciously crafted select-asn query parameter
History

Fri, 12 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:nlnetlabs:routinator:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs routinator
Vendors & Products Nlnetlabs
Nlnetlabs routinator

Mon, 08 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks.
Title Routinator crashes on specifically crafted ASN strings in the API
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Nlnetlabs Routinator
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-08T15:39:39.130Z

Reserved: 2026-05-28T08:28:56.664Z

Link: CVE-2026-49234

cve-icon Vulnrichment

Updated: 2026-06-08T15:39:24.735Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-08T15:16:48.080

Modified: 2026-06-12T01:28:23.370

Link: CVE-2026-49234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T02:30:11Z

Weaknesses