CVE-2026-30932
DNS Injection Vulnerability in Froxlor DomainZones.add API
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| froxlor | froxlor | to 2.3.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30932 is a vulnerability in Froxlor, an open source server administration software, affecting versions prior to 2.3.5. The issue exists in the DomainZones.add API endpoint, which does not validate the content field for certain DNS record types (LOC, RP, SSHFP, TLSA). This lack of validation allows an attacker with DNS access to inject newline characters and BIND zone file directives (such as $INCLUDE) into DNS zone files.
When the DNS rebuild cron job runs, these maliciously crafted zone files are written to disk and processed by the BIND DNS server. This can lead to injection of arbitrary directives into the zone files, enabling attackers to read arbitrary world-readable files on the server or disrupt DNS service.
The vulnerability arises because the API endpoint accepts unsanitized input for these DNS record types, which is then incorporated into zone files without proper validation or sanitization. This issue was fixed in Froxlor version 2.3.5 by adding strict validation routines for the affected DNS record types.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Information Disclosure: Attackers can inject $INCLUDE directives to cause the DNS server to read and expose arbitrary world-readable files on the server, such as /etc/passwd, via DNS responses.
- DNS Service Disruption: Malformed zone files created by injected content can cause the BIND DNS server to fail loading zones, resulting in DNS outages.
- Zone Data Manipulation: Injection of newlines allows attackers to create arbitrary DNS records, potentially enabling DNS amplification attacks or other malicious DNS behaviors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of unsanitized or malformed DNS records of types LOC, RP, SSHFP, and TLSA in the Froxlor DNS management system prior to version 2.3.5.'}, {'type': 'paragraph', 'content': 'Specifically, you can look for DNS zone files containing unexpected newline characters or BIND zone file directives such as "$INCLUDE" that should not normally appear in these records.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows injection of arbitrary directives into zone files, inspecting the zone files on disk for suspicious entries is a key detection method.'}, {'type': 'paragraph', 'content': 'Suggested commands include using grep or similar tools to search for suspicious patterns in zone files, for example:'}, {'type': 'list_item', 'content': "grep -r --include='*.zone' '\\$INCLUDE' /path/to/bindconf_directory/domains/"}, {'type': 'list_item', 'content': "grep -r --include='*.zone' -P '\\n' /path/to/bindconf_directory/domains/"}, {'type': 'paragraph', 'content': "Additionally, reviewing DNS records via the Froxlor API or web UI for error messages related to invalid LOC, RP, SSHFP, or TLSA records (e.g., 'error.dns_loc_invalid') can help identify malformed entries."}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Froxlor to version 2.3.5 or later, where strict validation of DNS LOC, RP, SSHFP, and TLSA record contents has been implemented to prevent injection of malicious content.
Until the upgrade can be applied, restrict access to the DomainZones.add API endpoint to trusted users only, especially those with DNS enabled, to reduce the risk of malicious record injection.
Manually audit existing DNS zone files for injected directives or malformed records and remove any suspicious entries.
Consider temporarily disabling the DNS rebuild cron job or monitoring its output closely to detect any errors caused by malformed zone files.
Review and tighten permissions on files and directories related to DNS zone files to limit exposure.