CVE-2025-58063
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-09-11

Assigner: GitHub, Inc.

Description
CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a DoS condition for DNS resolution of affected services. The `TTL()` function in `plugin/etcd/etcd.go` incorrectly casts etcd lease IDs (64-bit integers) to uint32 and uses them as TTL values. Large lease IDs become very large TTLs when cast to uint32. This enables cache pinning attacks. Version 1.12.4 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-09-11
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-58063
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
coredns coredns 1.12.4
coredns coredns 1.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-681 When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-58063 is a vulnerability in the CoreDNS etcd plugin where the TTL (Time-To-Live) value for DNS records is incorrectly derived by casting etcd lease IDs (which are identifiers) as TTL durations. This casting causes extremely large TTL values, leading to DNS cache pinning attacks. An attacker with etcd write access can create or update DNS records with arbitrary lease IDs, causing clients and resolvers to cache stale DNS entries for excessively long periods (potentially years). This results in a denial-of-service condition for DNS resolution of affected services, as DNS updates may be ignored due to the pinned cache entries. [1]

Impact Analysis

This vulnerability can impact you by causing DNS resolution failures or delays for services relying on CoreDNS with the etcd plugin. Because DNS records can be cached for abnormally long times due to the incorrect TTL, updates such as IP address changes, failovers, or rollbacks may not propagate promptly. This leads to a denial-of-service condition affecting availability. The integrity of DNS responses is also impacted as stale or incorrect DNS answers persist longer than intended. However, there is no impact on confidentiality. [1]

Detection Guidance

Detection involves identifying if your CoreDNS deployment uses the etcd plugin versions between 1.2.0 and prior to 1.12.4, which are vulnerable. You can check the CoreDNS version and plugin configuration. Additionally, monitoring DNS responses for abnormally large TTL values (e.g., TTLs lasting years) can indicate cache pinning attacks. A practical approach is to query DNS records served by CoreDNS and inspect the TTL values. For example, use the command: `dig @<coredns-server> <record> +ttlunits` and check if TTL values are unusually large (much greater than expected lease durations). Also, reviewing etcd lease IDs and comparing them to TTLs can help detect misuse. Since the vulnerability requires etcd write access, auditing etcd access logs and permissions can also help detect potential exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading CoreDNS to version 1.12.4 or later, where the vulnerability is fixed. The fix involves correctly retrieving TTL values from the etcd lease API instead of casting lease IDs, and applying configurable minimum and maximum TTL bounds to prevent extreme TTL values. If upgrading immediately is not possible, consider restricting etcd write access to trusted users only, auditing and tightening RBAC and TLS configurations, and monitoring for suspicious DNS cache pinning behavior. Applying configuration options such as `min-lease-ttl` and `max-lease-ttl` in the etcd plugin block can help clamp TTL values once the fixed version is deployed. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-58063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart