CVE-2023-39916 – This vulnerability in Routinator allows attacke... (How to Fix)

Q: What is the severity of CVE-2023-39916?

CVE-2023-39916 has a CVSS score of 9.3 (CRITICAL). This vulnerability in Routinator allows attackers to write files outside the intended directory when the optional keep-rrdp-responses feature is enabled. By crafting malicious RRDP URLs, attackers can perform path traversal attacks. Only Routinator instances with the keep-rrdp-responses feature turned on are affected.

📋 TL;DR

This vulnerability in Routinator allows attackers to write files outside the intended directory when the optional keep-rrdp-responses feature is enabled. By crafting malicious RRDP URLs, attackers can perform path traversal attacks. Only Routinator instances with the keep-rrdp-responses feature turned on are affected.

💻 Affected Systems

Products:

NLnet Labs Routinator

Versions: 0.9.0 through 0.12.1, and 0.14.0 through 0.14.2

Operating Systems: All platforms running Routinator

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if keep-rrdp-responses feature is explicitly enabled in configuration.

📦 What is this software?

Routinator by Nlnetlabs

View all CVEs affecting Routinator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file write leading to remote code execution, system compromise, or data corruption if attacker can write to critical system locations.

🟠

Likely Case

File system manipulation, potential data leakage, or denial of service by filling disk space with malicious files.

🟢

If Mitigated

Limited impact since feature is off by default; if disabled, no exploitation possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the vulnerable feature to be enabled and attacker to control RRDP URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.2 and 0.14.3

Vendor Advisory: https://nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txt

Restart Required: Yes

Instructions:

1. Download and install Routinator 0.12.2 or 0.14.3 from NLnet Labs. 2. Stop the Routinator service. 3. Replace the binary with the patched version. 4. Restart the Routinator service.

🔧 Temporary Workarounds

Disable keep-rrdp-responses feature

all

Turn off the vulnerable feature in Routinator configuration

Edit Routinator config file and set 'keep-rrdp-responses = false' or remove the setting

🧯 If You Can't Patch

Ensure keep-rrdp-responses feature is disabled in all configurations
Implement network segmentation to limit Routinator's exposure to untrusted RRDP sources

🔍 How to Verify

Check if Vulnerable:

Check Routinator version and configuration: if version is 0.9.0-0.12.1 or 0.14.0-0.14.2 AND keep-rrdp-responses is enabled, system is vulnerable.

Check Version:

routinator --version

Verify Fix Applied:

Verify Routinator version is 0.12.2 or 0.14.3 or higher, and confirm the feature is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual file write patterns in Routinator logs
Errors related to path traversal in keep-rrdp-responses directory

Network Indicators:

Suspicious RRDP URLs containing path traversal sequences (../)

SIEM Query:

source="routinator" AND ("keep-rrdp-responses" OR "path traversal" OR "../")

📊 Metadata

CVE ID: CVE-2023-39916

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:H

CWE: CWE-35

Published: September 13, 2023

Last Updated: October 3, 2025

🔗 References

https://nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txt Vendor Advisory
https://nlnetlabs.nl/downloads/routinator/CVE-2023-39916.txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39916, you might also want to check these: