cve-2025-5994
Vulnerability from cvelistv5
Published
2025-07-16 14:38
Modified
2025-07-16 15:42
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C
Summary
Cache poisoning via the ECS-enabled Rebirthday Attack
References
sep@nlnetlabs.nlhttps://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
Impacted products
NLnet LabsUnbound
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5994",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-16T15:42:14.147972Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-16T15:42:18.657Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Unbound",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "1.23.0",
              "status": "affected",
              "version": "1.6.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Xiang Li (AOSP Lab, Nankai University)"
        }
      ],
      "datePublic": "2025-07-16T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A multi-vendor cache poisoning vulnerability named \u0027Rebirthday Attack\u0027 has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., \u0027--enable-subnet\u0027, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the \u0027send-client-subnet\u0027, \u0027client-subnet-zone\u0027 or \u0027client-subnet-always-forward\u0027 options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "Compiled and configured for ECS support"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-349",
              "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-16T14:38:22.738Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in 1.23.1 and all later versions. Not using EDNS Client Subnet (ECS) is also a mitigation for affected versions."
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-01-02T00:00:00.000Z",
          "value": "Issue reported by Xiang Li"
        },
        {
          "lang": "en",
          "time": "2025-01-03T00:00:00.000Z",
          "value": "Issue acknowledged by NLnet Labs"
        },
        {
          "lang": "en",
          "time": "2025-01-08T00:00:00.000Z",
          "value": "Mitigation shared with Xiang Li"
        },
        {
          "lang": "en",
          "time": "2025-07-16T00:00:00.000Z",
          "value": "Fix released with Unbound 1.23.1 (coordinated with other vendors)"
        }
      ],
      "title": "Cache poisoning via the ECS-enabled Rebirthday Attack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2025-5994",
    "datePublished": "2025-07-16T14:38:22.738Z",
    "dateReserved": "2025-06-11T09:08:05.767Z",
    "dateUpdated": "2025-07-16T15:42:18.657Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5994\",\"sourceIdentifier\":\"sep@nlnetlabs.nl\",\"published\":\"2025-07-16T15:15:33.490\",\"lastModified\":\"2025-07-17T21:15:50.197\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A multi-vendor cache poisoning vulnerability named \u0027Rebirthday Attack\u0027 has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., \u0027--enable-subnet\u0027, AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the \u0027send-client-subnet\u0027, \u0027client-subnet-zone\u0027 or \u0027client-subnet-always-forward\u0027 options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto una vulnerabilidad de envenenamiento de cach\u00e9 multiproveedor, denominada \\\"Ataque Rebirthday\\\", en resolutores de cach\u00e9 compatibles con EDNS Client Subnet (ECS). Unbound tambi\u00e9n es vulnerable cuando se compila con compatibilidad con ECS (es decir, con \\\"--enable-subnet\\\") y se configura para enviar informaci\u00f3n de ECS junto con consultas a servidores de nombres ascendentes (es decir, se utiliza al menos una de las opciones \\\"send-client-subnet\\\", \\\"client-subnet-zone\\\" o \\\"client-subnet-always-forward\\\"). Los resolutores compatibles con ECS deben segregar las consultas salientes para adaptarlas a la diferente informaci\u00f3n de ECS saliente. Esto expone a los resolutores a un ataque de paradoja de cumplea\u00f1os (Ataque Rebirthday), que intenta coincidir con el ID de transacci\u00f3n DNS para almacenar en cach\u00e9 respuestas t\u00f3xicas que no sean de ECS.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"sep@nlnetlabs.nl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"USER\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"sep@nlnetlabs.nl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-349\"}]}],\"references\":[{\"url\":\"https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt\",\"source\":\"sep@nlnetlabs.nl\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.