{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5994", "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "state": "PUBLISHED", "assignerShortName": "NLnet Labs", "dateReserved": "2025-06-11T09:08:05.767Z", "datePublished": "2025-07-16T14:38:22.738Z", "dateUpdated": "2025-07-16T15:42:18.657Z"}, "containers": {"cna": {"title": "Cache poisoning via the ECS-enabled Rebirthday Attack", "datePublic": "2025-07-16T00:00:00.000Z", "affected": [{"vendor": "NLnet Labs", "product": "Unbound", "versions": [{"version": "1.6.2", "status": "affected", "lessThan": "1.23.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "Compiled and configured for ECS support"}], "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-349", "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data", "type": "CWE"}]}], "solutions": [{"lang": "en", "value": "This issue is fixed in 1.23.1 and all later versions. Not using EDNS Client Subnet (ECS) is also a mitigation for affected versions."}], "timeline": [{"time": "2025-01-02T00:00:00.000Z", "lang": "en", "value": "Issue reported by Xiang Li"}, {"time": "2025-01-03T00:00:00.000Z", "lang": "en", "value": "Issue acknowledged by NLnet Labs"}, {"time": "2025-01-08T00:00:00.000Z", "lang": "en", "value": "Mitigation shared with Xiang Li"}, {"time": "2025-07-16T00:00:00.000Z", "lang": "en", "value": "Fix released with Unbound 1.23.1 (coordinated with other vendors)"}], "credits": [{"lang": "en", "value": "Xiang Li (AOSP Lab, Nankai University)", "type": "finder"}], "references": [{"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt", "tags": ["vendor-advisory"]}], "providerMetadata": {"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "shortName": "NLnet Labs", "dateUpdated": "2025-07-16T14:38:22.738Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-16T15:42:14.147972Z", "id": "CVE-2025-5994", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T15:42:18.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5994", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-16T15:42:14.147972Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-16T15:42:16.296Z"}}], "cna": {"title": "Cache poisoning via the ECS-enabled Rebirthday Attack", "credits": [{"lang": "en", "type": "finder", "value": "Xiang Li (AOSP Lab, Nankai University)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C"}, "scenarios": [{"lang": "en", "value": "Compiled and configured for ECS support"}]}], "affected": [{"vendor": "NLnet Labs", "product": "Unbound", "versions": [{"status": "affected", "version": "1.6.2", "lessThan": "1.23.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-02T00:00:00.000Z", "value": "Issue reported by Xiang Li"}, {"lang": "en", "time": "2025-01-03T00:00:00.000Z", "value": "Issue acknowledged by NLnet Labs"}, {"lang": "en", "time": "2025-01-08T00:00:00.000Z", "value": "Mitigation shared with Xiang Li"}, {"lang": "en", "time": "2025-07-16T00:00:00.000Z", "value": "Fix released with Unbound 1.23.1 (coordinated with other vendors)"}], "solutions": [{"lang": "en", "value": "This issue is fixed in 1.23.1 and all later versions. Not using EDNS Client Subnet (ECS) is also a mitigation for affected versions."}], "datePublic": "2025-07-16T00:00:00.000Z", "references": [{"url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-349", "description": "CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data"}]}], "providerMetadata": {"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "shortName": "NLnet Labs", "dateUpdated": "2025-07-16T14:38:22.738Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5994", "state": "PUBLISHED", "dateUpdated": "2025-07-16T15:42:18.657Z", "dateReserved": "2025-06-11T09:08:05.767Z", "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6", "datePublished": "2025-07-16T14:38:22.738Z", "assignerShortName": "NLnet Labs"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad de envenenamiento de cach\u00e9 multiproveedor, denominada \"Ataque Rebirthday\", en resolutores de cach\u00e9 compatibles con EDNS Client Subnet (ECS). Unbound tambi\u00e9n es vulnerable cuando se compila con compatibilidad con ECS (es decir, con \"--enable-subnet\") y se configura para enviar informaci\u00f3n de ECS junto con consultas a servidores de nombres ascendentes (es decir, se utiliza al menos una de las opciones \"send-client-subnet\", \"client-subnet-zone\" o \"client-subnet-always-forward\"). Los resolutores compatibles con ECS deben segregar las consultas salientes para adaptarlas a la diferente informaci\u00f3n de ECS saliente. Esto expone a los resolutores a un ataque de paradoja de cumplea\u00f1os (Ataque Rebirthday), que intenta coincidir con el ID de transacci\u00f3n DNS para almacenar en cach\u00e9 respuestas t\u00f3xicas que no sean de ECS."}], "id": "CVE-2025-5994", "lastModified": "2025-07-17T21:15:50.197", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-16T15:15:33.490", "references": [{"source": "[email protected]", "url": "https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-349"}], "source": "[email protected]", "type": "Secondary"}]}

{"bugzilla": {"description": "unbound: Unbound Cache poisoning", "id": "2380949", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2380949"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-349", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-5994", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "unbound", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-07-16T14:38:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-5994\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5994\nhttps://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt"], "threat_severity": "Important"}