CVE-2025-5994

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

CVSS

No CVSS.

References

Link	Resource
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

Configurations

No configuration.

History

17 Jul 2025, 21:15

Type	Values Removed	Values Added
Summary		(es) Se ha descubierto una vulnerabilidad de envenenamiento de caché multiproveedor, denominada "Ataque Rebirthday", en resolutores de caché compatibles con EDNS Client Subnet (ECS). Unbound también es vulnerable cuando se compila con compatibilidad con ECS (es decir, con "--enable-subnet") y se configura para enviar información de ECS junto con consultas a servidores de nombres ascendentes (es decir, se utiliza al menos una de las opciones "send-client-subnet", "client-subnet-zone" o "client-subnet-always-forward"). Los resolutores compatibles con ECS deben segregar las consultas salientes para adaptarlas a la diferente información de ECS saliente. Esto expone a los resolutores a un ataque de paradoja de cumpleaños (Ataque Rebirthday), que intenta coincidir con el ID de transacción DNS para almacenar en caché respuestas tóxicas que no sean de ECS.

16 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-16 15:15

Updated : 2025-07-17 21:15

NVD link : CVE-2025-5994

Mitre link : CVE-2025-5994

CVE.ORG link : CVE-2025-5994

JSON object : View

Products Affected

No product.

CWE

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

{"id": "CVE-2025-5994", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "sep@nlnetlabs.nl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-16T15:15:33.490", "references": [{"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt", "source": "sep@nlnetlabs.nl"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "sep@nlnetlabs.nl", "description": [{"lang": "en", "value": "CWE-349"}]}], "descriptions": [{"lang": "en", "value": "A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de envenenamiento de cach\u00e9 multiproveedor, denominada \"Ataque Rebirthday\", en resolutores de cach\u00e9 compatibles con EDNS Client Subnet (ECS). Unbound tambi\u00e9n es vulnerable cuando se compila con compatibilidad con ECS (es decir, con \"--enable-subnet\") y se configura para enviar informaci\u00f3n de ECS junto con consultas a servidores de nombres ascendentes (es decir, se utiliza al menos una de las opciones \"send-client-subnet\", \"client-subnet-zone\" o \"client-subnet-always-forward\"). Los resolutores compatibles con ECS deben segregar las consultas salientes para adaptarlas a la diferente informaci\u00f3n de ECS saliente. Esto expone a los resolutores a un ataque de paradoja de cumplea\u00f1os (Ataque Rebirthday), que intenta coincidir con el ID de transacci\u00f3n DNS para almacenar en cach\u00e9 respuestas t\u00f3xicas que no sean de ECS."}], "lastModified": "2025-07-17T21:15:50.197", "sourceIdentifier": "sep@nlnetlabs.nl"}