CVE-2025-5994

{"id": "CVE-2025-5994", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-16T15:15:33.490", "references": [{"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt", "source": "[email protected]"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-349"}]}], "descriptions": [{"lang": "en", "value": "A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de envenenamiento de cach\u00e9 multiproveedor, denominada \"Ataque Rebirthday\", en resolutores de cach\u00e9 compatibles con EDNS Client Subnet (ECS). Unbound tambi\u00e9n es vulnerable cuando se compila con compatibilidad con ECS (es decir, con \"--enable-subnet\") y se configura para enviar informaci\u00f3n de ECS junto con consultas a servidores de nombres ascendentes (es decir, se utiliza al menos una de las opciones \"send-client-subnet\", \"client-subnet-zone\" o \"client-subnet-always-forward\"). Los resolutores compatibles con ECS deben segregar las consultas salientes para adaptarlas a la diferente informaci\u00f3n de ECS saliente. Esto expone a los resolutores a un ataque de paradoja de cumplea\u00f1os (Ataque Rebirthday), que intenta coincidir con el ID de transacci\u00f3n DNS para almacenar en cach\u00e9 respuestas t\u00f3xicas que no sean de ECS."}], "lastModified": "2025-11-03T19:16:14.563", "sourceIdentifier": "[email protected]"}