CVE-2026-49234 PUBLISHED

Routinator crashes on specifically crafted ASN strings in the API

Assigner: NLnet Labs
Reserved: 28.05.2026 Published: 08.06.2026 Updated: 08.06.2026

When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes.

This only affects users who allow API access from untrusted networks.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
CVSS Score: 8.2

Product Status

Vendor NLnet Labs
Product Routinator
Versions Default: affected
  • unaffected from 0.15.2 to * (excl.)

Solutions

This issue is fixed in 0.15.2 and all later versions.

Credits

  • X41 D-Sec GmbH finder

References

Problem Types

  • CWE-20 Improper Input Validation CWE