CVE-2021-3912

MEDIUM4.2EPSS 0.55%

OctoRPKI crashes when processing GZIP bomb returned via malicious repository

Published: 11/10/2021Modified: 3/13/2026

Also known as:GHSA-g9wh-3vrx-r7hgGO-2022-0253

Description

OctoRPKI tries to load the entire contents of a repository in memory, and in the case of a GZIP bomb, unzip it in memory, making it possible to create a repository that makes OctoRPKI run out of memory (and thus crash). ## Patches ## For more information If you have any questions or comments about this advisory email us at [email protected]

Affected packages (3)

Debian/cfrpkifrom 0, < 1.4.2-1~deb11u1
Go/github.com/cloudflare/cfrpkifrom 0, < 1.4.0
Go/github.com/cloudflare/cfrpkifrom 0, < 1.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3912
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3912
PATCHgithub.com/cloudflare/cfrpki
WEBhttps://github.com/cloudflare/cfrpki/commit/648658b1b176a747b52645989cfddc73a81eacad
WEBhttps://github.com/cloudflare/cfrpki/security/advisories/GHSA-g9wh-3vrx-r7hg
WEBhttps://pkg.go.dev/vuln/GO-2022-0253
WEBhttps://www.debian.org/security/2022/dsa-5041