cvelistv5 - CVE-2025-25188

CVE-2025-25188 (GCVE-0-2025-25188)

Vulnerability from cvelistv5 – Published: 2025-02-10 17:35 – Updated: 2025-02-12 15:47

Summary

Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue.

Severity ?

5.7 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/hickory-dns/hickory-dns/securi…	x_refsource_CONFIRM
	https://github.com/hickory-dns/hickory-dns/commit…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	hickory-dns	hickory-dns	Affected: >= 0.8.0, < 0.24.3 Affected: >= 0.25.0-alpha.1, < 0.25.0-alpha.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25188",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-10T17:56:07.547520Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T15:47:59.943Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hickory-dns",
          "vendor": "hickory-dns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.8.0, \u003c 0.24.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.25.0-alpha.1, \u003c 0.25.0-alpha.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-10T17:35:25.265Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4"
        },
        {
          "name": "https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9"
        }
      ],
      "source": {
        "advisory": "GHSA-37wc-h8xc-5hc4",
        "discovery": "UNKNOWN"
      },
      "title": "DNSSEC validation may accept broken authentication chains"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25188",
    "datePublished": "2025-02-10T17:35:25.265Z",
    "dateReserved": "2025-02-03T19:30:53.399Z",
    "dateUpdated": "2025-02-12T15:47:59.943Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-25188\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-10T18:15:35.827\",\"lastModified\":\"2025-02-10T18:15:35.827\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue.\"},{\"lang\":\"es\",\"value\":\"Hickory DNS es un cliente, servidor y solucionador de DNS basado en Rust. Una vulnerabilidad presente a partir de la versi\u00f3n 0.8.0 y anteriores a las versiones 0.24.3 y 0.25.0-alpha.5 afecta a los usuarios de Hickory DNS que dependen de la verificaci\u00f3n DNSSEC en la librer\u00eda cliente, el solucionador de stub o el solucionador recursivo. Las rutinas de validaci\u00f3n DNSSEC tratan conjuntos RR completos de registros DNSKEY como confiables una vez que han establecido confianza en solo uno de los DNSKEY. Como resultado, si una zona incluye un DNSKEY con una clave p\u00fablica que coincide con un ancla de confianza configurada, se confiar\u00e1 en todas las claves de esa zona para autenticar otros registros en la zona. Existe una segunda variante de esta vulnerabilidad que involucra registros DS, donde un registro DS autenticado que cubre un DNSKEY lleva a confiar en las firmas realizadas por un DNSKEY no relacionado en la misma zona. Las versiones 0.24.3 y 0.25.0-alpha.5 solucionan el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"references\":[{\"url\":\"https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"DNSSEC validation may accept broken authentication chains\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-345\", \"lang\": \"en\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4\"}, {\"name\": \"https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9\"}], \"affected\": [{\"vendor\": \"hickory-dns\", \"product\": \"hickory-dns\", \"versions\": [{\"version\": \"\u003e= 0.8.0, \u003c 0.24.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 0.25.0-alpha.1, \u003c 0.25.0-alpha.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-10T17:35:25.265Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue.\"}], \"source\": {\"advisory\": \"GHSA-37wc-h8xc-5hc4\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25188\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-10T17:56:07.547520Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T15:47:51.754Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-25188\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2025-02-03T19:30:53.399Z\", \"datePublished\": \"2025-02-10T17:35:25.265Z\", \"dateUpdated\": \"2025-02-12T15:47:59.943Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-37WC-H8XC-5HC4

Vulnerability from github – Published: 2025-02-10 17:46 – Updated: 2025-02-10 19:51

Summary

Hickory DNS's DNSSEC validation may accept broken authentication chains

Details

Summary

The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone.

Details

verify_dnskey_rrset() will return Ok(true) if any record's public key matches a trust anchor. This results in verify_rrset() returning a Secure proof. This ultimately results in successfully verifying a response containing DNSKEY records. verify_default_rrset() looks up DNSKEY records by calling handle.lookup(), which takes the above code path. There's a comment following this that says "DNSKEYs were already validated by the inner query in the above lookup", but this is not the case. To fully verify the whole RRset of DNSKEYs, it would be necessary to check self-signatures by the trusted key over the other keys. Later in verify_default_rrset(), verify_rrset_with_dnskey() is called multiple times with different keys and signatures, and if any call succeeds, then its Proof is returned.

Similarly, verify_dnskey_rrset() returns Ok(false) if any DNSKEY record is covered by a DS record. A comment says "If all the keys are valid, then we are secure", but this is only checking that one key is authenticated by a DS in the parent zone's delegation point. This time, after control flow returns to verify_rrset(), it will call verify_default_rrset(). The special handling for DNSKEYs in verify_default_rrset() will then call verify_rrset_with_dnskey() using each KSK DNSKEY record, and if one call succeeds, return its Proof. If there are multiple KSK DNSKEYs in the RRset, then this leads to another authentication break. We need to either pass the authenticated DNSKEYs from the DS covering check to the RRSIG validation, or we need to perform this RRSIG validation of the DNSKEY RRset inside verify_dnskey_rrset() and cut verify_default_rrset() out of DNSKEY RRset validation entirely.

PoC

The proof of concepts have been integrated into the conformance test suite, as resolver::dnssec::scenarios::bogus::bogus_zone_plus_trust_anchor_dnskey and resolver::dnssec::scenarios::bogus::bogus_zone_plus_ds_covered_dnskey.

Impact

This impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver.

Severity ?

5.7 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hickory-proto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.24.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-10T17:46:00Z",
    "nvd_published_at": "2025-02-10T18:15:35Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone.\n\n### Details\n`verify_dnskey_rrset()` will return `Ok(true)` if any record\u0027s public key matches a trust anchor. This results in `verify_rrset()` returning a `Secure` proof. This ultimately results in successfully verifying a response containing DNSKEY records. `verify_default_rrset()` looks up DNSKEY records by calling `handle.lookup()`, which takes the above code path. There\u0027s a comment following this that says \"DNSKEYs were already validated by the inner query in the above lookup\", but this is not the case. To fully verify the whole RRset of DNSKEYs, it would be necessary to check self-signatures by the trusted key over the other keys. Later in `verify_default_rrset()`, `verify_rrset_with_dnskey()` is called multiple times with different keys and signatures, and if any call succeeds, then its `Proof` is returned.\n\nSimilarly, `verify_dnskey_rrset()` returns `Ok(false)` if any DNSKEY record is covered by a DS record. A comment says \"If all the keys are valid, then we are secure\", but this is only checking that one key is authenticated by a DS in the parent zone\u0027s delegation point. This time, after control flow returns to `verify_rrset()`, it will call `verify_default_rrset()`. The special handling for DNSKEYs in `verify_default_rrset()` will then call `verify_rrset_with_dnskey()` using each KSK DNSKEY record, and if one call succeeds, return its `Proof`. If there are multiple KSK DNSKEYs in the RRset, then this leads to another authentication break. We need to either pass the authenticated DNSKEYs from the DS covering check to the RRSIG validation, or we need to perform this RRSIG validation of the DNSKEY RRset inside `verify_dnskey_rrset()` and cut `verify_default_rrset()` out of DNSKEY RRset validation entirely.\n\n### PoC\nThe proof of concepts have been integrated into the conformance test suite, as `resolver::dnssec::scenarios::bogus::bogus_zone_plus_trust_anchor_dnskey` and `resolver::dnssec::scenarios::bogus::bogus_zone_plus_ds_covered_dnskey`.\n\n### Impact\nThis impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver.",
  "id": "GHSA-37wc-h8xc-5hc4",
  "modified": "2025-02-10T19:51:23Z",
  "published": "2025-02-10T17:46:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25188"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hickory-dns/hickory-dns"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hickory DNS\u0027s DNSSEC validation may accept broken authentication chains"
}

FKIE_CVE-2025-25188

Vulnerability from fkie_nvd - Published: 2025-02-10 18:15 - Updated: 2025-02-10 18:15

Severity ?

5.7 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9
	security-advisories@github.com	https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue."
    },
    {
      "lang": "es",
      "value": "Hickory DNS es un cliente, servidor y solucionador de DNS basado en Rust. Una vulnerabilidad presente a partir de la versi\u00f3n 0.8.0 y anteriores a las versiones 0.24.3 y 0.25.0-alpha.5 afecta a los usuarios de Hickory DNS que dependen de la verificaci\u00f3n DNSSEC en la librer\u00eda cliente, el solucionador de stub o el solucionador recursivo. Las rutinas de validaci\u00f3n DNSSEC tratan conjuntos RR completos de registros DNSKEY como confiables una vez que han establecido confianza en solo uno de los DNSKEY. Como resultado, si una zona incluye un DNSKEY con una clave p\u00fablica que coincide con un ancla de confianza configurada, se confiar\u00e1 en todas las claves de esa zona para autenticar otros registros en la zona. Existe una segunda variante de esta vulnerabilidad que involucra registros DS, donde un registro DS autenticado que cubre un DNSKEY lleva a confiar en las firmas realizadas por un DNSKEY no relacionado en la misma zona. Las versiones 0.24.3 y 0.25.0-alpha.5 solucionan el problema."
    }
  ],
  "id": "CVE-2025-25188",
  "lastModified": "2025-02-10T18:15:35.827",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.7,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-10T18:15:35.827",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

MSRC_CVE-2025-25188

Vulnerability from csaf_microsoft - Published: 2025-02-02 00:00 - Updated: 2025-09-03 23:56

Summary

DNSSEC validation may accept broken authentication chains

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2025-25188 DNSSEC validation may accept broken authentication chains - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-25188.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "DNSSEC validation may accept broken authentication chains",
    "tracking": {
      "current_release_date": "2025-09-03T23:56:45.000Z",
      "generator": {
        "date": "2025-10-20T02:58:28.979Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2025-25188",
      "initial_release_date": "2025-02-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-09-03T23:56:45.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "category": "product_name",
            "name": "azl3 netavark 1.10.3-2",
            "product": {
              "name": "azl3 netavark 1.10.3-2",
              "product_id": "1"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 netavark 1.10.3-2 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-25188",
      "cwe": {
        "id": "CWE-345",
        "name": "Insufficient Verification of Data Authenticity"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17084-1"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-25188 DNSSEC validation may accept broken authentication chains - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-25188.json"
        }
      ],
      "title": "DNSSEC validation may accept broken authentication chains"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-25188 (GCVE-0-2025-25188)

GHSA-37WC-H8XC-5HC4

Summary

Details

PoC

Impact

FKIE_CVE-2025-25188

MSRC_CVE-2025-25188

Tags

Sightings

Nomenclature