CVE-2025-59029
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-59029, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-09

Last updated on: 2026-02-19

Assigner: Open-Xchange

Description

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-09
Last Modified
2026-02-19
Generated
2026-07-06
AI Q&A
2025-12-09
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
powerdns recursor 5.3.0
powerdns recursor 5.3.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker to cause an assertion failure by sending specially crafted DNS records, which are then cached. After that, the attacker sends a DNS query with the query type set to ANY, triggering the failure.

Impact Analysis

The vulnerability can cause a denial of service by triggering an assertion failure in the DNS system, potentially disrupting DNS resolution and availability.

Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring DNS traffic for queries with qtype set to ANY, especially those targeting PowerDNS Recursor versions 5.3.0 and 5.3.1. You can use network packet capture tools like tcpdump or Wireshark to filter DNS queries with qtype ANY. For example, using tcpdump: tcpdump -i <interface> 'udp port 53 and (dns.qry.type == 255)' where 255 is the DNS qtype for ANY. Additionally, checking the version of PowerDNS Recursor running on your system can help identify if it is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading PowerDNS Recursor to version 5.3.3 or newer, which contains the fix for this vulnerability. If upgrading is not immediately possible, you should block DNS queries with qtype ANY to prevent exploitation of the flaw and avoid denial of service conditions. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59029. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart