CVE-2025-11411
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-12-05

Assigner: NLnet Labs

Description
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-12-05
Generated
2026-05-07
AI Q&A
2025-10-22
EPSS Evaluated
2026-05-05
NVD
CVE-2025-11411
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nlnet_labs unbound 1.24.2
nlnet_labs unbound 1.13.1-1+deb11u6
nlnet_labs unbound 1.24.0
nlnet_labs unbound 1.24.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-349 The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects NLnet Labs Unbound DNS resolver versions up to 1.24.0. It involves 'Promiscuous NS RRSets' in the authority section of DNS replies, which are used by the resolver to update delegation information for DNS zones, specifically the zone's name servers. An attacker can exploit this by injecting spoofed NS RRSets and possibly their address records through spoofed packets or fragmentation attacks. Unbound would mistakenly trust and update its cache with this malicious data, leading to cache poisoning at the delegation point, which can result in domain hijacking. The issue is fixed in Unbound 1.24.1 by scrubbing unsolicited NS RRSets and their address records from replies. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker to perform cache poisoning on the DNS resolver, causing it to update its delegation information with malicious data. This can lead to domain hijacking, where users trying to access legitimate domains are redirected to malicious sites controlled by the attacker. Such redirection can result in phishing, data theft, malware distribution, or other security breaches impacting users and organizations relying on the affected DNS resolver. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade Unbound to version 1.24.1, which includes a fix that scrubs unsolicited NS RRSets and their associated address records from DNS replies. If upgrading is not possible right away, apply the provided patches for version 1.24.0: either the full patch with options, tests, and documentation updates or the minimal patch with essential code changes. Apply patches using the command `patch -p1 < patch_file.diff` followed by `make install`. These steps prevent cache poisoning by rejecting malicious NS RRSet injections. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart