CVE-2025-25188
Description
Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone. Versions 0.24.3 and 0.25.0-alpha.5 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hickory-protocrates.io | >= 0.8.0, < 0.24.3 | 0.24.3 |
Affected products
22- Range: 0.18, 0.18.0.alpha.2, 0.19.5, …
- osv-coords21 versionspkg:apk/chainguard/linkerd2-proxypkg:apk/chainguard/shadowsocks-rustpkg:apk/chainguard/shadowsocks-rust-sslocalpkg:apk/chainguard/shadowsocks-rust-ssmanagerpkg:apk/chainguard/shadowsocks-rust-ssserverpkg:apk/chainguard/shadowsocks-rust-ssservicepkg:apk/chainguard/shadowsocks-rust-ssurlpkg:apk/chainguard/ztunnel-1.24pkg:apk/chainguard/ztunnel-1.24-compatpkg:apk/chainguard/ztunnel-fips-1.24pkg:apk/chainguard/ztunnel-fips-1.24-compatpkg:apk/wolfi/linkerd2-proxypkg:apk/wolfi/shadowsocks-rustpkg:apk/wolfi/shadowsocks-rust-sslocalpkg:apk/wolfi/shadowsocks-rust-ssmanagerpkg:apk/wolfi/shadowsocks-rust-ssserverpkg:apk/wolfi/shadowsocks-rust-ssservicepkg:apk/wolfi/shadowsocks-rust-ssurlpkg:apk/wolfi/ztunnel-1.24pkg:apk/wolfi/ztunnel-1.24-compatpkg:cargo/hickory-proto
< 2.278.0-r1+ 20 more
- (no CPE)range: < 2.278.0-r1
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.24.3-r1
- (no CPE)range: < 1.24.3-r1
- (no CPE)range: < 1.24.3-r1
- (no CPE)range: < 1.24.3-r1
- (no CPE)range: < 2.278.0-r1
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.22.0-r0
- (no CPE)range: < 1.24.3-r1
- (no CPE)range: < 1.24.3-r1
- (no CPE)range: >= 0.8.0, < 0.24.3
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.