DNSSEC Validation Flaw in Hickory DNS Affects Users with Trust Anchors
CVE-2025-25188

5.7MEDIUM

Key Information:

Vendor: Hickory-dns
Status: Hickory-dns
Vendor: CVE Published:; 10 February 2025

Summary

A vulnerability in Hickory DNS, affecting versions prior to 0.24.3 and 0.25.0-alpha.5, compromises DNSSEC verification, allowing unauthorized trust in DNSKEY records. The issue arises when trust is established from just one DNSKEY in a zone, leading to potential trust in all keys within that zone. Additionally, a related issue involves DS records that can incorrectly authenticate signatures made by unrelated DNSKEYs. Users relying on DNSSEC in their deployments should upgrade to the latest versions to mitigate this risk.

Affected Version(s)

hickory-dns >= 0.8.0, < 0.24.3 < 0.8.0, 0.24.3

hickory-dns >= 0.25.0-alpha.1, < 0.25.0-alpha.5 < 0.25.0-alpha.1, 0.25.0-alpha.5

References

https://github.com/hickory-dns/hickory-dns/security/advis...

x_refsource_CONFIRM

https://github.com/hickory-dns/hickory-dns/commit/e118c6e...

x_refsource_MISC

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 10, 2025
Vulnerability Reserved
Feb 3, 2025