VYPR

Recursor

by PowerDNS

CVEs (47)

  • CVE-2025-59023HigFeb 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Crafted delegations or IP fragments can poison cached delegations in Recursor.

  • CVE-2025-30192HigJul 21, 2025
    risk 0.49cvss 7.5epss 0.00

    An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and…

  • CVE-2025-30195HigApr 7, 2025
    risk 0.49cvss 7.5epss 0.01

    An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would…

  • CVE-2024-25590HigOct 3, 2024
    risk 0.49cvss 7.5epss 0.01

    An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.

  • CVE-2024-25583HigApr 25, 2024
    risk 0.49cvss 7.5epss 0.01

    A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.

  • CVE-2025-59024MedFeb 9, 2026
    risk 0.42cvss 6.5epss 0.00

    Crafted delegations or IP fragments can poison cached delegations in Recursor.

  • CVE-2017-15092MedJan 23, 2018
    risk 0.40cvss 6.1epss 0.02

    A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and Javascript code into the web interface,…

  • CVE-2026-33262MedApr 22, 2026
    risk 0.38cvss 5.9epss 0.00

    An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.

  • CVE-2026-33261MedApr 22, 2026
    risk 0.38cvss 5.9epss 0.00

    A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.

  • CVE-2017-15093MedJan 23, 2018
    risk 0.35cvss 5.3epss 0.01

    When api-config-dir is set to a non-empty value, which is not the case by default, the API in PowerDNS Recursor 4.x up to and including 4.0.6 and 3.x up to and including 3.7.4 allows an authorized user to update the Recursor's ACL by adding and removing netmasks, and to…

  • CVE-2026-33260MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

  • CVE-2026-33258MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.

  • CVE-2026-33257MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

  • CVE-2026-33256MedApr 22, 2026
    risk 0.34cvss 5.3epss 0.01

    An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

  • CVE-2026-24027MedFeb 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Crafted zones can lead to increased incoming network traffic.

  • CVE-2026-0398MedFeb 9, 2026
    risk 0.34cvss 5.3epss 0.00

    Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.

  • CVE-2026-33259MedApr 22, 2026
    risk 0.33cvss 5.0epss 0.00

    Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.

  • CVE-2026-33601MedApr 22, 2026
    risk 0.29cvss 4.4epss 0.01

    If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

  • CVE-2026-33600MedApr 22, 2026
    risk 0.29cvss 4.4epss 0.01

    An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

  • CVE-2015-1868May 18, 2015
    risk 0.07cvss epss 0.82

    The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a…

Page 1 of 3