{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59029", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2025-09-08T14:22:28.105Z", "datePublished": "2025-12-09T09:16:03.148Z", "dateUpdated": "2025-12-09T14:29:55.534Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected", "modules": ["Record cache"], "packageName": "pdns-recursor", "product": "Recursor", "programFiles": ["recursor_cache.cc"], "repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "versions": [{"lessThan": "5.3.2", "status": "affected", "version": "5.3.0", "versionType": "semver"}]}], "datePublic": "2025-12-08T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.</p>"}], "value": "An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "CWE-617 Reachable Assertion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2025-12-09T09:16:03.148Z"}, "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"}], "source": {"advisory": "PowerDNS Security Advisory 2025-07", "discovery": "EXTERNAL"}, "title": "Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-09T14:29:51.430262Z", "id": "CVE-2025-59029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T14:29:55.534Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-09T14:29:51.430262Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T14:29:53.127Z"}}], "cna": {"title": "Internal logic flaw in cache management can lead to a denial of service in PowerDNS Recursor", "source": {"advisory": "PowerDNS Security Advisory 2025-07", "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "modules": ["Record cache"], "product": "Recursor", "versions": [{"status": "affected", "version": "5.3.0", "lessThan": "5.3.2", "versionType": "semver"}], "packageName": "pdns-recursor", "programFiles": ["recursor_cache.cc"], "collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected"}], "datePublic": "2025-12-08T10:00:00.000Z", "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.", "supportingMedia": [{"type": "text/html", "value": "<p>An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617 Reachable Assertion"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2025-12-09T09:16:03.148Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59029", "state": "PUBLISHED", "dateUpdated": "2025-12-09T14:29:55.534Z", "dateReserved": "2025-09-08T14:22:28.105Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2025-12-09T09:16:03.148Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:recursor:5.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "60EB1FF6-8039-4F08-B943-13DFC479433B", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "2C2B07F4-3564-444F-AD04-26B956E06EB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY."}], "id": "CVE-2025-59029", "lastModified": "2026-02-19T17:13:48.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2025-12-09T16:17:58.990", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory"], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security@open-xchange.com", "type": "Secondary"}]}

{"bugzilla": {"description": "PowerDNS: PowerDNS: Assertion failure due to crafted DNS records", "id": "2420464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420464"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-617", "details": ["An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.", "A flaw was found in PowerDNS. This vulnerability allows an attacker to trigger an assertion failure via requesting crafted DNS (Domain Name System) records, waiting for them to be inserted into the records cache, then sending a query with qtype set to ANY."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to the PowerDNS service to only trusted clients or networks. This can be achieved by configuring firewall rules to limit incoming connections to the PowerDNS port (typically UDP/TCP 53). For example, using `firewalld`: `sudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"<TRUSTED_NETWORK>\" port port=\"53\" protocol=\"udp\" accept'` and `sudo firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"<TRUSTED_NETWORK>\" port port=\"53\" protocol=\"tcp\" accept'`. After applying firewall rules, reload the firewall: `sudo firewall-cmd --reload`. This may impact legitimate DNS resolution if not configured carefully. A service restart may be required for changes to take full effect."}, "name": "CVE-2025-59029", "public_date": "2025-12-09T09:16:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59029\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59029\nhttps://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html"], "statement": "This vulnerability is rated Moderate for Red Hat because an attacker can trigger an assertion failure in PowerDNS by requesting crafted DNS records and then sending a query with qtype set to ANY. This could lead to a denial of service for the PowerDNS service.", "threat_severity": "Moderate"}

{"created": "2025-12-10T17:52:18.011887+00:00", "updated": "2025-12-10T17:52:18.011924+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$recursor"]}