CVE-2025-59088
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-12-09
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | python-kdcproxy | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59088 is a Server-Side Request Forgery (SSRF) vulnerability in python-kdcproxy. It occurs because kdcproxy, by default, queries DNS SRV records for realms that do not have server addresses explicitly defined. An attacker who controls a DNS zone can create malicious SRV records that cause kdcproxy to send requests to arbitrary IP addresses and ports, including internal or loopback addresses. This allows the attacker to perform unauthorized network requests, potentially probing internal network topology, firewall rules, and exfiltrating data without authentication. [1, 3, 6]
How can this vulnerability impact me? :
This vulnerability can be exploited to perform unauthorized network requests from the vulnerable server, enabling attackers to probe internal network topology and firewall rules, conduct port scanning, and potentially exfiltrate sensitive data. It can lead to information disclosure and unauthorized access to internal or restricted network resources. The attack does not require authentication, increasing the risk of exploitation. [1, 2, 3, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring kdcproxy's DNS queries for unexpected SRV record lookups to realms not explicitly configured, which may indicate exploitation attempts. Additionally, reviewing kdcproxy logs for warnings about non-standard Kerberos ports or unusual DNS SRV queries can help identify suspicious activity. Since the vulnerability involves SSRF via DNS SRV records, network monitoring tools can be used to detect outbound DNS SRV queries to unusual or attacker-controlled domains. Specific commands are not provided in the resources, but administrators should check kdcproxy configuration files for the 'use_dns' and 'dns_realm_discovery' settings and monitor logs accordingly. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the security updates provided by Red Hat for python-kdcproxy as detailed in advisories RHSA-2025:21138, RHSA-2025:21139, RHSA-2025:21140, RHSA-2025:21141, and RHSA-2025:21142. These updates restrict DNS discovery of KDCs to only explicitly declared realms and introduce configuration options to disable unsafe DNS discovery behavior. Additionally, setting the 'use_dns' configuration parameter to false will prevent the vulnerable DNS SRV record lookups. Administrators should also review and update kdcproxy configurations to disable 'dns_realm_discovery' unless explicitly needed and monitor logs for warnings related to non-standard ports. Applying these patches and configuration changes will mitigate the SSRF vulnerability. [1, 2, 3, 4, 5, 6, 7]