Refine your search
2 vulnerabilities found for by NLnet Labs
CVE-2025-11411 (GCVE-0-2025-11411)
Vulnerability from cvelistv5
Published
2025-10-22 12:28
Modified
2025-11-06 00:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Summary
NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NLnet Labs | Unbound |
Version: 0 ≤ 1.24.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T13:20:48.048984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T13:21:55.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-06T00:12:30.273Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"lessThanOrEqual": "1.24.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiao Wu (Tsinghua University)"
},
{
"lang": "en",
"type": "finder",
"value": "Yunyi Zhang (Tsinghua University)"
},
{
"lang": "en",
"type": "finder",
"value": "Baojun Liu (Tsinghua University)"
},
{
"lang": "en",
"type": "finder",
"value": "Haixin Duan (Tsinghua University)"
}
],
"datePublic": "2025-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver\u0027s knowledge of the zone\u0027s name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T12:28:02.607Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in 1.24.1 and all later versions."
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-09T00:00:00.000Z",
"value": "Issue reported by Yuxiao Wu"
},
{
"lang": "en",
"time": "2025-08-12T00:00:00.000Z",
"value": "Issue acknowledged and mitigation shared by NLnet Labs"
},
{
"lang": "en",
"time": "2025-10-22T00:00:00.000Z",
"value": "Fixes released with Unbound 1.24.1 (coordinated with other vendors)"
}
],
"title": "Possible domain hijacking via promiscuous records in the authority section",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2025-11411",
"datePublished": "2025-10-22T12:28:02.607Z",
"dateReserved": "2025-10-07T09:07:44.926Z",
"dateUpdated": "2025-11-06T00:12:30.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5994 (GCVE-0-2025-5994)
Vulnerability from cvelistv5
Published
2025-07-16 14:38
Modified
2025-11-03 18:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
Summary
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NLnet Labs | Unbound |
Version: 1.6.2 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T15:42:14.147972Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T15:42:18.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:13:56.352Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "1.23.0",
"status": "affected",
"version": "1.6.2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Xiang Li (AOSP Lab, Nankai University)"
}
],
"datePublic": "2025-07-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A multi-vendor cache poisoning vulnerability named \u0027Rebirthday Attack\u0027 has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., \u0027--enable-subnet\u0027, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the \u0027send-client-subnet\u0027, \u0027client-subnet-zone\u0027 or \u0027client-subnet-always-forward\u0027 options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Compiled and configured for ECS support"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-349",
"description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T14:38:22.738Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in 1.23.1 and all later versions. Not using EDNS Client Subnet (ECS) is also a mitigation for affected versions."
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-02T00:00:00.000Z",
"value": "Issue reported by Xiang Li"
},
{
"lang": "en",
"time": "2025-01-03T00:00:00.000Z",
"value": "Issue acknowledged by NLnet Labs"
},
{
"lang": "en",
"time": "2025-01-08T00:00:00.000Z",
"value": "Mitigation shared with Xiang Li"
},
{
"lang": "en",
"time": "2025-07-16T00:00:00.000Z",
"value": "Fix released with Unbound 1.23.1 (coordinated with other vendors)"
}
],
"title": "Cache poisoning via the ECS-enabled Rebirthday Attack"
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2025-5994",
"datePublished": "2025-07-16T14:38:22.738Z",
"dateReserved": "2025-06-11T09:08:05.767Z",
"dateUpdated": "2025-11-03T18:13:56.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}