Medium severity5.3NVD Advisory· Published Aug 29, 2025· Updated Apr 15, 2026
CVE-2025-58066
CVE-2025-58066
Description
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ntpd-rscrates.io | >= 1.2.0, < 1.6.2 | 1.6.2 |
Affected products
1Patches
2d0aa5fcdec4dRelease 1.6.2
13 files changed · +23 −13
Cargo.lock+2 −2 modified@@ -573,7 +573,7 @@ dependencies = [ [[package]] name = "ntp-proto" -version = "1.6.1" +version = "1.6.2" dependencies = [ "aead", "aes-siv", @@ -590,7 +590,7 @@ dependencies = [ [[package]] name = "ntpd" -version = "1.6.1" +version = "1.6.2" dependencies = [ "async-trait", "clock-steering",
Cargo.toml+2 −2 modified@@ -11,7 +11,7 @@ resolver = "2" # Global settings for our crates [workspace.package] -version = "1.6.1" +version = "1.6.2" edition = "2021" license = "Apache-2.0 OR MIT" repository = "https://github.com/pendulum-project/ntpd-rs" @@ -60,4 +60,4 @@ zeroize = "1.7" # our own crates used as dependencies, same version as the workspace version # NOTE: keep this part at the bottom of the file, do not change this line -ntp-proto = { version = "1.6.1", path = "./ntp-proto", default-features = false, features = ["__internal-api"] } +ntp-proto = { version = "1.6.2", path = "./ntp-proto", default-features = false, features = ["__internal-api"] }
CHANGELOG.md+6 −0 modified@@ -1,5 +1,10 @@ # Changelog +## [1.6.2] - 2025-08-29 + +### Fixed +- Fixed bug that could cause a message to pingpong between two servers indefinitely. + ## [1.6.1] - 2025-07-16 ### Fixed @@ -306,6 +311,7 @@ process. - Fixed a bug in peer dispersion calculation which resulted in overly pessimistic dispersion estimates. +[1.6.2]: https://github.com/pendulum-project/ntpd-rs/compare/v1.6.1...v1.6.2 [1.6.1]: https://github.com/pendulum-project/ntpd-rs/compare/v1.6.0...v1.6.1 [1.6.0]: https://github.com/pendulum-project/ntpd-rs/compare/v1.5.0...v1.6.0 [1.5.0]: https://github.com/pendulum-project/ntpd-rs/compare/v1.4.0...v1.5.0
Cross.toml+4 −1 modified@@ -3,8 +3,11 @@ image = "ghcr.io/cross-rs/x86_64-unknown-linux-gnu" [target.armv7-unknown-linux-gnueabihf] image = "ghcr.io/cross-rs/armv7-unknown-linux-gnueabihf:main" +#pre-build = [ +# "cd /usr/local/bin && curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cargo-bins/cargo-quickinstall/releases/download/bindgen-cli-0.71.1/bindgen-cli-0.71.1-x86_64-unknown-linux-gnu.tar.gz | tar -zxf -" +#] pre-build = [ - "cd /usr/local/bin && curl --proto '=https' --tlsv1.2 -LsSf https://github.com/cargo-bins/cargo-quickinstall/releases/download/bindgen-cli-0.71.1/bindgen-cli-0.71.1-x86_64-unknown-linux-gnu.tar.gz | tar -zxf -" + "apt install xz-utils && curl --proto '=https' --tlsv1.2 -LsSf https://github.com/rust-lang/rust-bindgen/releases/download/v0.71.1/bindgen-cli-installer.sh | sh && cp -r /root/.cargo/bin/* /usr/local/bin/" ] [target.aarch64-unknown-linux-gnu]
docs/man/ntp-ctl.8.md+1 −1 modified@@ -1,5 +1,5 @@ <!-- --- -title: NTP-CTL(8) ntpd-rs 1.6.1 | ntpd-rs +title: NTP-CTL(8) ntpd-rs 1.6.2 | ntpd-rs --- --> # NAME
docs/man/ntp-daemon.8.md+1 −1 modified@@ -1,5 +1,5 @@ <!-- --- -title: NTP-DAEMON(8) ntpd-rs 1.6.1 | ntpd-rs +title: NTP-DAEMON(8) ntpd-rs 1.6.2 | ntpd-rs --- --> # NAME
docs/man/ntp-metrics-exporter.8.md+1 −1 modified@@ -1,5 +1,5 @@ <!-- --- -title: NTP-METRICS-EXPORTER(8) ntpd-rs 1.6.1 | ntpd-rs +title: NTP-METRICS-EXPORTER(8) ntpd-rs 1.6.2 | ntpd-rs --- --> # NAME
docs/man/ntp.toml.5.md+1 −1 modified@@ -1,5 +1,5 @@ <!-- --- -title: NTP.TOML(5) ntpd-rs 1.6.1 | ntpd-rs +title: NTP.TOML(5) ntpd-rs 1.6.2 | ntpd-rs --- --> # NAME
docs/precompiled/man/ntp-ctl.8+1 −1 modified@@ -14,7 +14,7 @@ . ftr VB CB . ftr VBI CBI .\} -.TH "NTP-CTL" "8" "" "ntpd-rs 1.6.1" "ntpd-rs" +.TH "NTP-CTL" "8" "" "ntpd-rs 1.6.2" "ntpd-rs" .hy .SH NAME .PP
docs/precompiled/man/ntp-daemon.8+1 −1 modified@@ -14,7 +14,7 @@ . ftr VB CB . ftr VBI CBI .\} -.TH "NTP-DAEMON" "8" "" "ntpd-rs 1.6.1" "ntpd-rs" +.TH "NTP-DAEMON" "8" "" "ntpd-rs 1.6.2" "ntpd-rs" .hy .SH NAME .PP
docs/precompiled/man/ntp-metrics-exporter.8+1 −1 modified@@ -14,7 +14,7 @@ . ftr VB CB . ftr VBI CBI .\} -.TH "NTP-METRICS-EXPORTER" "8" "" "ntpd-rs 1.6.1" "ntpd-rs" +.TH "NTP-METRICS-EXPORTER" "8" "" "ntpd-rs 1.6.2" "ntpd-rs" .hy .SH NAME .PP
docs/precompiled/man/ntp.toml.5+1 −1 modified@@ -14,7 +14,7 @@ . ftr VB CB . ftr VBI CBI .\} -.TH "NTP.TOML" "5" "" "ntpd-rs 1.6.1" "ntpd-rs" +.TH "NTP.TOML" "5" "" "ntpd-rs 1.6.2" "ntpd-rs" .hy .SH NAME .PP
.github/workflows/checks.yaml+1 −0 modified@@ -187,6 +187,7 @@ jobs: clippy: name: Clippy + if: ${{ false }} strategy: matrix: include:
da37cf167736Make sure server responds only to NTP request packets.
1 file changed · +67 −1
ntp-proto/src/server.rs+67 −1 modified@@ -188,7 +188,18 @@ impl<C: NtpClock> Server<C> { // Try and parse the message let (packet, cookie) = match NtpPacket::deserialize(message, self.keyset.as_ref()) { - Ok(packet) => packet, + Ok((packet, cookie)) => match packet.mode() { + crate::NtpAssociationMode::Client => (packet, cookie), + _ => { + stats_handler.register( + fallback_message_version(message), + false, + ServerReason::ParseError, + ServerResponse::Ignore, + ); + return ServerAction::Ignore; + } + }, Err(PacketParsingError::DecryptError(packet)) => { // Don't care about decryption errors when denying anyway if action != ServerResponse::Deny { @@ -908,6 +919,61 @@ mod tests { ); } + #[test] + fn test_server_ignores_non_request() { + let config = ServerConfig { + denylist: FilterList { + filter: vec![], + action: FilterAction::Deny, + }, + allowlist: FilterList { + filter: vec!["0.0.0.0/0".parse().unwrap()], + action: FilterAction::Ignore, + }, + rate_limiting_cutoff: Duration::from_millis(100), + rate_limiting_cache_size: 0, + require_nts: None, + accepted_versions: vec![NtpVersion::V4], + }; + let clock = TestClock { + cur: NtpTimestamp::from_fixed_int(200), + }; + let mut stats = TestStatHandler::default(); + + let mut server = Server::new( + config, + clock, + SystemSnapshot::default(), + KeySetProvider::new(1).get(), + ); + + let (packet, _) = NtpPacket::poll_message(PollIntervalLimits::default().min); + let mut serialized = serialize_packet_unencrypted(&packet); + + for version in 0..8 { + for mode in 0..8 { + if mode == 3 { + // Client mode should be able to get responses + continue; + } + + serialized[0] = (serialized[0] & 0xC0) | (version << 3) | mode; + + let mut buf = [0; 48]; + let response = server.handle( + "127.0.0.1".parse().unwrap(), + NtpTimestamp::from_fixed_int(100), + &serialized, + &mut buf, + &mut stats, + ); + stats.last_register.take(); + + assert!(matches!(response, ServerAction::Ignore)); + } + } + } + #[test] fn test_server_corrupted() { let config = ServerConfig {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.