CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30192 – A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts
https://notcve.org/view.php?id=CVE-2025-30192
21 Jul 2025 — An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled. • https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30193 – Denial of service via crafted TCP exchange
https://notcve.org/view.php?id=CVE-2025-30193
20 May 2025 — In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection set... • https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html • CWE-674: Uncontrolled Recursion •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30194 – Denial of service via crafted DoH exchange
https://notcve.org/view.php?id=CVE-2025-30194
29 Apr 2025 — When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention. These are all security issues... • https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30195 – A crafted zone can lead to an illegal memory access in the PowerDNS Recursor
https://notcve.org/view.php?id=CVE-2025-30195
07 Apr 2025 — An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would like to thank Volodymyr Ilyin for bringing this issue to our attention. • https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-01.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 0CVE-2024-25590 – Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
https://notcve.org/view.php?id=CVE-2024-25590
03 Oct 2024 — An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service. Toshifumi Sakaguchi discovered that too permissive parsing of some resource record sets in the zone file parsing of PDNS Recursor could result in denial of service. • https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-04.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-25581 – Transfer requests received over DoH can lead to a denial of service in DNSdist
https://notcve.org/view.php?id=CVE-2024-25581
13 May 2024 — When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default. Cuando la compatibilidad con DNS entrante sobre HTTPS está habilitada mediante... • http://www.openwall.com/lists/oss-security/2024/05/13/1 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-25583 – Crafted responses can lead to a denial of service in Recursor if recursive forwarding is configured
https://notcve.org/view.php?id=CVE-2024-25583
25 Apr 2024 — A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected. Una respuesta manipulada desde un servidor ascendente al que se ha configurado el recursor para reenviar puede causar una denegación de servicio en el recursor. La configuración predeterminada del Recursor no utiliza el reenvío recursivo y no se ve afectada. It was disc... • http://www.openwall.com/lists/oss-security/2024/04/24/1 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 33%CPEs: 21EXPL: 3CVE-2023-50387 – bind9: KeyTrap - Extreme CPU consumption in DNSSEC validator
https://notcve.org/view.php?id=CVE-2023-50387
13 Feb 2024 — Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. Ciertos aspectos DNSSEC del protocolo DNS (en RFC 4035 y RFC relacionados) permiten a ataca... • https://github.com/knqyf263/CVE-2023-50387 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-26437 – Deterred spoofing attempts can lead to authoritative servers being marked unavailable
https://notcve.org/view.php?id=CVE-2023-26437
04 Apr 2023 — Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3. An update that fixes three vulnerabilities is now available. This update for pdns-recursor fixes the following issues. • https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2023-02.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22617
https://notcve.org/view.php?id=CVE-2023-22617
21 Jan 2023 — A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1. Un atacante remoto podría provocar una recursividad infinita en PowerDNS Recursor 4.8.0 a través de una consulta DNS que recupera registros DS para un dominio mal configurado, porque la minimización de QName se utiliza en el modo de reserva de QM. Esto se solucionó en 4.8.1. • http://www.openwall.com/lists/oss-security/2023/01/20/1 • CWE-674: Uncontrolled Recursion •