CVE-2025-30192

NameCVE-2025-30192
DescriptionAn attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109808

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns-recursor (PTS)bullseye4.4.2-3vulnerable
bookworm, bookworm (security)4.8.8-1+deb12u1vulnerable
sid, trixie5.2.4-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdns-recursorsourceexperimental5.2.4-1
pdns-recursorsourcebullseye(unfixed)end-of-life
pdns-recursorsource(unstable)5.2.4-21109808

Notes

[bookworm] - pdns-recursor <no-dsa> (Minor issue; can be fixed via point release update)
[bullseye] - pdns-recursor <end-of-life> (No longer supported with security updates in Bullseye)
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html
Search for package or bug name: Reporting problems