Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-59029

Опубликовано: 09 дек. 2025
Источник: redhat
CVSS3: 5.3

Описание

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

A flaw was found in PowerDNS. This vulnerability allows an attacker to trigger an assertion failure via requesting crafted DNS (Domain Name System) records, waiting for them to be inserted into the records cache, then sending a query with qtype set to ANY.

Отчет

This vulnerability is rated Moderate for Red Hat because an attacker can trigger an assertion failure in PowerDNS by requesting crafted DNS records and then sending a query with qtype set to ANY. This could lead to a denial of service for the PowerDNS service.

Меры по смягчению последствий

To mitigate this issue, restrict network access to the PowerDNS service to only trusted clients or networks. This can be achieved by configuring firewall rules to limit incoming connections to the PowerDNS port (typically UDP/TCP 53). For example, using firewalld: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_NETWORK>" port port="53" protocol="udp" accept' and sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_NETWORK>" port port="53" protocol="tcp" accept'. After applying firewall rules, reload the firewall: sudo firewall-cmd --reload. This may impact legitimate DNS resolution if not configured carefully. A service restart may be required for changes to take full effect.

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-617
https://bugzilla.redhat.com/show_bug.cgi?id=2420464PowerDNS: PowerDNS: Assertion failure due to crafted DNS records

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-59029

CVSS3: 5.3
ubuntu
4 месяца назад

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

nvd логотип

CVE-2025-59029

CVSS3: 5.3
nvd
4 месяца назад

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

debian логотип

CVE-2025-59029

CVSS3: 5.3
debian
4 месяца назад

An attacker can trigger an assertion failure by requesting crafted DNS ...

github логотип

GHSA-2gr2-cm9q-vr3v

CVSS3: 5.3
github
4 месяца назад

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

5.3 Medium

CVSS3