VYPR
Vendor

PowerDNS

PowerDNS is a software project providing a DNS authoritative server, recursor and proxy. It is written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms.

Products
7
CVEs
114
Across products
157
Status
Private

Products

7

Recent CVEs

114
View all 114 CVEs →
  • CVE-2017-7557HigAug 22, 2017
    risk 0.57cvss 8.8epss 0.01

    dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

  • CVE-2016-5427HigSep 21, 2016
    risk 0.54cvss 7.5epss 0.63

    PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . (dot) inside labels, which allows remote attackers to cause a denial of service (backend CPU consumption) via a crafted DNS query.

  • CVE-2025-59023HigFeb 9, 2026
    risk 0.53cvss 8.2epss 0.00

    Crafted delegations or IP fragments can poison cached delegations in Recursor.

  • CVE-2017-15120HigJul 27, 2018
    risk 0.53cvss 7.5epss 0.52

    An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a…

  • CVE-2018-1046HigJul 16, 2018
    risk 0.51cvss 7.8epss 0.01

    pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution.…

  • CVE-2016-5426HigSep 21, 2016
    risk 0.51cvss 7.5epss 0.31

    PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU consumption) via a long qname.

  • CVE-2026-42001HigMay 21, 2026
    risk 0.49cvss 7.5epss 0.00

    Insufficient Validation of Autoprimary SOA Queries

  • CVE-2026-33593HigApr 22, 2026
    risk 0.49cvss 7.5epss 0.00

    A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.

  • CVE-2025-30192HigJul 21, 2025
    risk 0.49cvss 7.5epss 0.00

    An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and…

  • CVE-2025-30193HigMay 20, 2025
    risk 0.49cvss 7.5epss 0.01

    In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist,…

  • CVE-2025-30194HigApr 29, 2025
    risk 0.49cvss 7.5epss 0.02

    When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched…

  • CVE-2025-30195HigApr 7, 2025
    risk 0.49cvss 7.5epss 0.01

    An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would…

  • CVE-2024-25590HigOct 3, 2024
    risk 0.49cvss 7.5epss 0.01

    An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.

  • CVE-2024-25581HigMay 14, 2024
    risk 0.49cvss 7.5epss 0.01

    When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing…

  • CVE-2024-25583HigApr 25, 2024
    risk 0.49cvss 7.5epss 0.01

    A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.

  • CVE-2017-15091HigJan 23, 2018
    risk 0.46cvss 7.1epss 0.01

    An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only…

  • CVE-2016-6172MedSep 26, 2016
    risk 0.45cvss 6.8epss 0.04

    PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response.

  • CVE-2026-42000MedMay 21, 2026
    risk 0.44cvss 6.8epss 0.00

    Insufficient Validation of Names During AXFR

  • CVE-2026-33602MedApr 22, 2026
    risk 0.42cvss 6.5epss 0.01

    A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.

  • CVE-2026-24029MedMar 31, 2026
    risk 0.42cvss 6.5epss 0.00

    When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.