Volerion logoVolerion
Volerion logoVolerion

Cloudflare OctoRPKI RPKI Validation Bypass Vulnerability Leading to BGP Hijacking

Vulnerability

A vulnerability in Cloudflare's OctoRPKI RPKI validator, prior to version 1.3.0, allows any CA issuer in the RPKI to manipulate the validator into accepting an invalid VRP 'MaxLength' value. This manipulation causes RTR sessions to terminate, disrupting RPKI Origin Validation. As a result, networks relying on this validation, such as AS 13335 (Cloudflare), could inadvertently accept BGP routes that would normally be rejected due to RPKI invalidity. Furthermore, the resulting flapping of RTR sessions could create additional BGP routing instability, leading to availability issues.

Impact

Exploitation of this vulnerability disables RPKI Origin Validation, allowing BGP hijacks to occur undetected. In some cases, the disruption of RTR sessions can cause significant BGP routing churn, exacerbating availability problems.

Remediation

Users can upgrade to OctoRPKI version 1.3.0 or later to address this vulnerability.

Added: Mar 11, 2026, 7:15 PM
Updated: Mar 11, 2026, 7:15 PM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
1.7
exploitability
3.4
remediation
7.7
relevance
0.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.