PowerDNS
PowerDNS is a software project providing a DNS authoritative server, recursor and proxy. It is written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms.
Products
7- 47 CVEs
- 32 CVEs
- 25 CVEs
- 18 CVEs
- 17 CVEs
- 13 CVEs
- 5 CVEs
Recent CVEs
114| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7557 | Hig | 0.57 | 8.8 | 0.01 | Aug 22, 2017 | dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack. | ||
| CVE-2016-5427 | Hig | 0.54 | 7.5 | 0.63 | Sep 21, 2016 | PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . (dot) inside labels, which allows remote attackers to cause a denial of service (backend CPU consumption) via a crafted DNS query. | ||
| CVE-2025-59023 | Hig | 0.53 | 8.2 | 0.00 | Feb 9, 2026 | Crafted delegations or IP fragments can poison cached delegations in Recursor. | ||
| CVE-2017-15120 | Hig | 0.53 | 7.5 | 0.52 | Jul 27, 2018 | An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a… | ||
| CVE-2018-1046 | Hig | 0.51 | 7.8 | 0.01 | Jul 16, 2018 | pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution.… | ||
| CVE-2016-5426 | Hig | 0.51 | 7.5 | 0.31 | Sep 21, 2016 | PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU consumption) via a long qname. | ||
| CVE-2026-42001 | Hig | 0.49 | 7.5 | 0.00 | May 21, 2026 | Insufficient Validation of Autoprimary SOA Queries | ||
| CVE-2026-33593 | Hig | 0.49 | 7.5 | 0.00 | Apr 22, 2026 | A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. | ||
| CVE-2025-30192 | Hig | 0.49 | 7.5 | 0.00 | Jul 21, 2025 | An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and… | ||
| CVE-2025-30193 | Hig | 0.49 | 7.5 | 0.01 | May 20, 2025 | In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist,… | ||
| CVE-2025-30194 | Hig | 0.49 | 7.5 | 0.02 | Apr 29, 2025 | When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched… | ||
| CVE-2025-30195 | Hig | 0.49 | 7.5 | 0.01 | Apr 7, 2025 | An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would… | ||
| CVE-2024-25590 | Hig | 0.49 | 7.5 | 0.01 | Oct 3, 2024 | An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service. | ||
| CVE-2024-25581 | Hig | 0.49 | 7.5 | 0.01 | May 14, 2024 | When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing… | ||
| CVE-2024-25583 | Hig | 0.49 | 7.5 | 0.01 | Apr 25, 2024 | A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected. | ||
| CVE-2017-15091 | Hig | 0.46 | 7.1 | 0.01 | Jan 23, 2018 | An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only… | ||
| CVE-2016-6172 | Med | 0.45 | 6.8 | 0.04 | Sep 26, 2016 | PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response. | ||
| CVE-2026-42000 | Med | 0.44 | 6.8 | 0.00 | May 21, 2026 | Insufficient Validation of Names During AXFR | ||
| CVE-2026-33602 | Med | 0.42 | 6.5 | 0.01 | Apr 22, 2026 | A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service. | ||
| CVE-2026-24029 | Med | 0.42 | 6.5 | 0.00 | Mar 31, 2026 | When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. |
- risk 0.57cvss 8.8epss 0.01
dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.
- risk 0.54cvss 7.5epss 0.63
PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . (dot) inside labels, which allows remote attackers to cause a denial of service (backend CPU consumption) via a crafted DNS query.
- risk 0.53cvss 8.2epss 0.00
Crafted delegations or IP fragments can poison cached delegations in Recursor.
- risk 0.53cvss 7.5epss 0.52
An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a…
- risk 0.51cvss 7.8epss 0.01
pdns before version 4.1.2 is vulnerable to a buffer overflow in dnsreplay. In the dnsreplay tool provided with PowerDNS Authoritative, replaying a specially crafted PCAP file can trigger a stack-based buffer overflow, leading to a crash and potentially arbitrary code execution.…
- risk 0.51cvss 7.5epss 0.31
PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU consumption) via a long qname.
- risk 0.49cvss 7.5epss 0.00
Insufficient Validation of Autoprimary SOA Queries
- risk 0.49cvss 7.5epss 0.00
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
- risk 0.49cvss 7.5epss 0.00
An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and…
- risk 0.49cvss 7.5epss 0.01
In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist,…
- risk 0.49cvss 7.5epss 0.02
When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched…
- risk 0.49cvss 7.5epss 0.01
An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service. The remedy is: upgrade to the patched 5.2.1 version. We would…
- risk 0.49cvss 7.5epss 0.01
An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service.
- risk 0.49cvss 7.5epss 0.01
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing…
- risk 0.49cvss 7.5epss 0.01
A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.
- risk 0.46cvss 7.1epss 0.01
An issue has been found in the API component of PowerDNS Authoritative 4.x up to and including 4.0.4 and 3.x up to and including 3.4.11, where some operations that have an impact on the state of the server are still allowed even though the API has been configured as read-only…
- risk 0.45cvss 6.8epss 0.04
PowerDNS (aka pdns) Authoritative Server before 4.0.1 allows remote primary DNS servers to cause a denial of service (memory exhaustion and secondary DNS server crash) via a large (1) AXFR or (2) IXFR response.
- risk 0.44cvss 6.8epss 0.00
Insufficient Validation of Names During AXFR
- risk 0.42cvss 6.5epss 0.01
A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
- risk 0.42cvss 6.5epss 0.00
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.