Routinator 0.14.1 ‘Black Cats and Voodoo Dolls’ released

We are pleased to announce the latest release of Routinator, version 0.14.1 ‘Black Cats and Voodoo Dolls.’

Routinator is an RPKI relying party software that collects and validates statements in the Resource Public Key Infrastructure (RPKI) about allowed route origins and makes them available to the BGP workflow.

This release fixes a crash when the file names of a manifest’s file list contain illegal characters. The issue has CVE-2025-0639 assigned. We would like to thank Haya Schulmann and Niklas Vogel of Goethe University Frankfurt/ATHENE Center for notifying us about this vulnerability.

In addition, the release improves the memory consumption of the new RRDP storage introduced in version 0.14.0 which tended to grow rather large over time. It should now end up with much less overhead. We will continue to keep an eye on how it develops long term and do further tweaks if necessary.

Further, standardisation of ASPA has progressed far enough in the IETF that we feel comfortable to include it in Routinator. You still have to explicitly set enable-aspa: true in your config file or use the --enable-aspa command line option to actually enable it.

Back in version 0.10.2 we disabled GZIP support for the RRDP collector as there were multiple issues with malicious GZIP files leading to memory exhaustion. We have now implemented a number of counter-measures that make us confident to re-enable support.

As always, there have been many smaller changes and improvements. The full list of changes is available in the release notes