VDB

CVE-2025-25188

CVE-2025-25188 PUBLISHED CVSS 5.699999809265137 MEDIUM

Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue.

EPSS 0.08% · 23.4th percentile

Risk Scores

CVSS v4.0
5.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
EPSS Score
0.08%
23.4th percentile

Affected Products

VendorProductVersions
crates.iohickory-proto0.8.0
hickory-dnshickory-dns>= 0.8.0, < 0.24.3, >= 0.25.0-alpha.1, < 0.25.0-alpha.5

Timeline

  • Feb 10, 2025 CVE Published
  • Feb 10, 2025 PoC Published
  • Feb 10, 2025 PoC Published
  • Feb 11, 2025 EPSS Score
  • Feb 26, 2025 EPSS Score
  • Mar 12, 2025 EPSS Score
  • Mar 27, 2025 EPSS Score
  • Apr 10, 2025 EPSS Score
  • Apr 25, 2025 EPSS Score
  • May 9, 2025 EPSS Score
  • May 24, 2025 EPSS Score
  • Jun 7, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›