Seven years of godspeed: Audit confirms Routinator's maturity
Routinator was recently audited by X41 D-Sec. They found that "the system appears to be on a good security level and uses Rust’s safety features well".
Over 7 years ago we published Routinator v0.1.0 titled "Godspeed". Since then the adoption of Resource Public Key Infrastructure (RPKI) and Route Origin Validation (ROV) has skyrocketed. As of July 2026, over 5000 RPKI relying party clients are fetching RPKI data worldwide, of which over 4000 are using Routinator. Needless to say, quite a bit of the Internet depends on Routinator working correctly.
We like to think we are pretty good at making resilient software at NLnet Labs. We know from the past 7 years that Routinator works really well in practice. We also try to handle all the ways a future adversary might try to abuse the way Routinator works. Basically, we try very hard to make sure Routinator runs reliably and cannot be hacked or tampered with. We even published a threat model for Routinator recently highlighting all the things Routinator will promise to do (given a few assumptions like your system not being compromised already), and we do not like to break our promises.
But we don't just want to mark our own homework, hence when the opportunity came by the Sovereign Tech Agency to take part in their Sovereign Tech Resilience programme, and have Routinator undergo an audit, we immediately applied. The audit was conducted by X41 D-Sec, who did a wonderful job of putting Routinator through the wringer. This all culminated in Routinator v0.15.2 that we released to the public on the 8th of June 2026.
We want to share what we did based on the audit, and what lessons we learnt for the future. And to channel our Open Source spirit, we also share the audit report in full, though this excerpt summarises it quite well:
Overall, the system appears to be on a good security level and uses Rust’s safety features well. The audit showed that the source code follows the protocol definitions closely, and appropriately establishes trust by verifying signatures before updating data in the local state. The weaknesses observed deal mainly with DoS vectors and availability, which can often be difficult to continuously keep in mind during development.
The audit found six issues, all of which have been remediated. There were also eight other findings that we tackled as well.
We can group the six issues into four categories:
- The HTTP/RTR server being too eager to quit Routinator on errors, even ones that can be recovered from (CVE-2026-49232);
- RPKI objects being able to write to other parts of the cache they should not be able to influence (CVE-2026-49233);
- A parsing error for AS numbers, which can cause Routinator to exit on malformed UTF-8 input to the API (CVE-2026-49234);
- A parsing error for XML where a specifically crafted XML document could make the XML parser and Routinator crash (CVE-2026-49235). This issue was found in a dependency Routinator uses to parse XML, called
quick-xml, which has been fixed there. We are happy that we have been able to give back to the community this way as well.
All of these are now fixed in v0.15.2. Apart from just fixing these issues, we have started to look even more thoroughly, and being even more defensive, about what input we accept, even when we do not have a way to exploit it yet. We took this approach when we tackled the eight other issues they found. Even though X-41 D-Sec did not find a way to exploit them, we still wanted to tackle them now, in case someone in the future does find a way.
The main lesson we learnt is that we look even more strictly when parsing input data. Whilst before we did already try to make sure invalid data was rejected, we insufficiently looked at technically-valid-but-unreasonable data that could make Routinator crawl to a hold (or even crash when out of memory) when parsed. Especially if we also cache this data, meaning it would try to parse this data again on restarts, and then run into the same issue. We will keep hardening this in the future.
We want to thank the people at the Sovereign Tech Agency for commissioning the audit, and the people at X41 D-Sec for doing the audit. Together we made the Internet even more resilient!
One more thing: you only benefit from these improvements if you update to the latest version of Routinator. We still see many instances that are quite a few versions behind, so if you have not done so already: go and update!