CVE-2025-58063
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | 1.12.4 |
| coredns | coredns | 1.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-681 | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58063 is a vulnerability in the CoreDNS etcd plugin where the TTL (Time-To-Live) value for DNS records is incorrectly derived by casting etcd lease IDs (which are identifiers) as TTL durations. This casting causes extremely large TTL values, leading to DNS cache pinning attacks. An attacker with etcd write access can create or update DNS records with arbitrary lease IDs, causing clients and resolvers to cache stale DNS entries for excessively long periods (potentially years). This results in a denial-of-service condition for DNS resolution of affected services, as DNS updates may be ignored due to the pinned cache entries. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing DNS resolution failures or delays for services relying on CoreDNS with the etcd plugin. Because DNS records can be cached for abnormally long times due to the incorrect TTL, updates such as IP address changes, failovers, or rollbacks may not propagate promptly. This leads to a denial-of-service condition affecting availability. The integrity of DNS responses is also impacted as stale or incorrect DNS answers persist longer than intended. However, there is no impact on confidentiality. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves identifying if your CoreDNS deployment uses the etcd plugin versions between 1.2.0 and prior to 1.12.4, which are vulnerable. You can check the CoreDNS version and plugin configuration. Additionally, monitoring DNS responses for abnormally large TTL values (e.g., TTLs lasting years) can indicate cache pinning attacks. A practical approach is to query DNS records served by CoreDNS and inspect the TTL values. For example, use the command: `dig @<coredns-server> <record> +ttlunits` and check if TTL values are unusually large (much greater than expected lease durations). Also, reviewing etcd lease IDs and comparing them to TTLs can help detect misuse. Since the vulnerability requires etcd write access, auditing etcd access logs and permissions can also help detect potential exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading CoreDNS to version 1.12.4 or later, where the vulnerability is fixed. The fix involves correctly retrieving TTL values from the etcd lease API instead of casting lease IDs, and applying configurable minimum and maximum TTL bounds to prevent extreme TTL values. If upgrading immediately is not possible, consider restricting etcd write access to trusted users only, auditing and tightening RBAC and TLS configurations, and monitoring for suspicious DNS cache pinning behavior. Applying configuration options such as `min-lease-ttl` and `max-lease-ttl` in the etcd plugin block can help clamp TTL values once the fixed version is deployed. [1, 2]