Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-5994

Summary
Assigner-NLnet Labs
Assigner Org ID-206fc3a0-e175-490b-9eaa-a5738056c9f6
Published At-16 Jul, 2025 | 14:38
Updated At-03 Nov, 2025 | 18:13
Rejected At-
Credits

Cache poisoning via the ECS-enabled Rebirthday Attack

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:NLnet Labs
Assigner Org ID:206fc3a0-e175-490b-9eaa-a5738056c9f6
Published At:16 Jul, 2025 | 14:38
Updated At:03 Nov, 2025 | 18:13
Rejected At:
▼CVE Numbering Authority (CNA)
Cache poisoning via the ECS-enabled Rebirthday Attack

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

Affected Products
Vendor
NLnet Labs
Product
Unbound
Default Status
unaffected
Versions
Affected
  • From 1.6.2 before 1.23.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-349CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
Type: CWE
CWE ID: CWE-349
Description: CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

This issue is fixed in 1.23.1 and all later versions. Not using EDNS Client Subnet (ECS) is also a mitigation for affected versions.

Configurations
Workarounds
Exploits
Credits
finder
Xiang Li (AOSP Lab, Nankai University)
Timeline
EventDate
Issue reported by Xiang Li2025-01-02 00:00:00
Issue acknowledged by NLnet Labs2025-01-03 00:00:00
Mitigation shared with Xiang Li2025-01-08 00:00:00
Fix released with Unbound 1.23.1 (coordinated with other vendors)2025-07-16 00:00:00
Event: Issue reported by Xiang Li
Date: 2025-01-02 00:00:00
Event: Issue acknowledged by NLnet Labs
Date: 2025-01-03 00:00:00
Event: Mitigation shared with Xiang Li
Date: 2025-01-08 00:00:00
Event: Fix released with Unbound 1.23.1 (coordinated with other vendors)
Date: 2025-07-16 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
vendor-advisory
Hyperlink: https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html
N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:sep@nlnetlabs.nl
Published At:16 Jul, 2025 | 15:15
Updated At:03 Nov, 2025 | 19:16

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-349Secondarysep@nlnetlabs.nl
CWE ID: CWE-349
Type: Secondary
Source: sep@nlnetlabs.nl
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txtsep@nlnetlabs.nl
N/A
https://lists.debian.org/debian-lts-announce/2025/08/msg00019.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
Source: sep@nlnetlabs.nl
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2026-42960
Matching Score-6
Assigner-NLnet Labs
ShareView Details
Matching Score-6
Assigner-NLnet Labs
CVSS Score-5.7||MEDIUM
EPSS-0.25% / 16.09%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 09:21
Updated-20 May, 2026 | 22:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible cache poisoning via promiscuous records for the authority section

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.

Action-Not Available
Vendor-nlnetlabsNLnet Labs
Product-unboundUnbound
CWE ID-CWE-349
Acceptance of Extraneous Untrusted Data With Trusted Data
CVE-2025-11411
Matching Score-6
Assigner-NLnet Labs
ShareView Details
Matching Score-6
Assigner-NLnet Labs
CVSS Score-5.7||MEDIUM
EPSS-0.31% / 22.82%
||
7 Day CHG+0.02%
Published-22 Oct, 2025 | 12:28
Updated-05 Dec, 2025 | 11:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Possible domain hijacking via promiscuous records in the authority section

NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.

Action-Not Available
Vendor-NLnet Labs
Product-Unbound
CWE ID-CWE-349
Acceptance of Extraneous Untrusted Data With Trusted Data
Details not found