CVE-2025-25188

Feb. 10, 2025, 6:15 p.m.

None
No Score

Description

Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue.

Product(s) Impacted

Product Versions
Hickory DNS
  • 0.8.0 - 0.24.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-345
Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

https://github.com/hickory-dns/hickory-dns/commit/e118c6eec569f4340421f86ee0686714010c63e9
https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4

Tags

security-advisories@github.com
CWE-345
2025-02-10
CVE-2025-25188

Timeline

Published: Feb. 10, 2025, 6:15 p.m.
Last Modified: Feb. 10, 2025, 6:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.