Cyber Posture

CVE-2025-0638

High

Published: 22 January 2025

Published
22 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0010 27.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0638 is a high-severity Improper Validation of Syntactic Correctness of Input (CWE-1286) vulnerability in Nlnetlabs (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper validation of syntactic correctness in manifest file names (CWE-1286), preventing downstream code from encountering unvalidated illegal characters.

SI-11 Error Handling good match
prevent

Mandates graceful error handling to avoid process crashes when subsequent code encounters illegal characters assumed to be validated.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through vulnerability scanning and patching of the specific Routinator manifest parsing defect.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Network-accessible input validation flaw in public RPKI service allows crafted manifest to trigger process crash (application exploitation for DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The initial code parsing the manifest did not check the content of the file names yet later code assumed that it was checked and panicked when encountering illegal characters, resulting in a crash of Routinator.

Deeper analysisAI

CVE-2025-0638 affects Routinator, an open-source Resource Public Key Infrastructure (RPKI) validator. The vulnerability arises because the initial code parsing the manifest does not check the content of file names, while subsequent code assumes validation has occurred and panics when encountering illegal characters, resulting in a crash of the Routinator process. It is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-1286 (Improper Validation of Syntactic Correctness of Input).

An unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation involves providing a maliciously crafted manifest containing file names with illegal characters, causing the Routinator instance to crash and resulting in a denial-of-service condition due to high availability impact.

The official advisory from NLnet Labs, available at https://www.nlnetlabs.nl/downloads/routinator/CVE-2025-0638.txt, provides further details on the issue.

Details

CWE(s)
CWE-1286

Affected Products

Nlnetlabs
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-21917Shared CWE-1286
CVE-2026-33778Shared CWE-1286
CVE-2025-22868Shared CWE-1286
CVE-2026-40198Shared CWE-1286
CVE-2025-59785Shared CWE-1286
CVE-2025-41719Shared CWE-1286
CVE-2026-6442Shared CWE-1286
CVE-2026-25513Shared CWE-1286

References