CVE-2021-43174: 
Rust vulnerability analysis and mitigation

CVE-2021-43174 affects NLnet Labs Routinator versions 0.9.0 through 0.10.1. The vulnerability was discovered in November 2021 and involves the software's support for gzip transfer encoding when querying RRDP (Repository Delta Protocol) repositories (NVD, Vendor Advisory).

The vulnerability stems from the software's handling of XML data in RRDP repositories. When processing gzip-encoded XML data, the compression scheme can effectively compress large amounts of whitespace, resulting in small compressed files that expand dramatically during decompression. This can lead to an out-of-memory condition in Routinator when parsing input data while waiting for the next XML element. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause Routinator to crash due to out-of-memory conditions when processing maliciously crafted RRDP repository data. This can lead to service disruption and affect the availability of the RPKI validation service (Vendor Advisory).

The issue has been addressed in Routinator version 0.10.2 by completely disabling gzip encoding. Users are advised to upgrade to version 0.10.2 or later to resolve this vulnerability. The vendor decided to disable gzip encoding completely rather than just fixing the out-of-memory condition, as the processing of large amounts of decompressed data would still lead to severe delays in validation runs (Vendor Advisory).