CVE-2025-59088
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-12-09

Assigner: Red Hat, Inc.

Description
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-11-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59088
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat python-kdcproxy *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59088 is a Server-Side Request Forgery (SSRF) vulnerability in python-kdcproxy. It occurs because kdcproxy, by default, queries DNS SRV records for realms that do not have server addresses explicitly defined. An attacker who controls a DNS zone can create malicious SRV records that cause kdcproxy to send requests to arbitrary IP addresses and ports, including internal or loopback addresses. This allows the attacker to perform unauthorized network requests, potentially probing internal network topology, firewall rules, and exfiltrating data without authentication. [1, 3, 6]

Impact Analysis

This vulnerability can be exploited to perform unauthorized network requests from the vulnerable server, enabling attackers to probe internal network topology and firewall rules, conduct port scanning, and potentially exfiltrate sensitive data. It can lead to information disclosure and unauthorized access to internal or restricted network resources. The attack does not require authentication, increasing the risk of exploitation. [1, 2, 3, 6]

Detection Guidance

Detection of this vulnerability involves monitoring kdcproxy's DNS queries for unexpected SRV record lookups to realms not explicitly configured, which may indicate exploitation attempts. Additionally, reviewing kdcproxy logs for warnings about non-standard Kerberos ports or unusual DNS SRV queries can help identify suspicious activity. Since the vulnerability involves SSRF via DNS SRV records, network monitoring tools can be used to detect outbound DNS SRV queries to unusual or attacker-controlled domains. Specific commands are not provided in the resources, but administrators should check kdcproxy configuration files for the 'use_dns' and 'dns_realm_discovery' settings and monitor logs accordingly. [1]

Mitigation Strategies

Immediate mitigation steps include applying the security updates provided by Red Hat for python-kdcproxy as detailed in advisories RHSA-2025:21138, RHSA-2025:21139, RHSA-2025:21140, RHSA-2025:21141, and RHSA-2025:21142. These updates restrict DNS discovery of KDCs to only explicitly declared realms and introduce configuration options to disable unsafe DNS discovery behavior. Additionally, setting the 'use_dns' configuration parameter to false will prevent the vulnerable DNS SRV record lookups. Administrators should also review and update kdcproxy configurations to disable 'dns_realm_discovery' unless explicitly needed and monitor logs for warnings related to non-standard ports. Applying these patches and configuration changes will mitigate the SSRF vulnerability. [1, 2, 3, 4, 5, 6, 7]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59088. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart