1.1.0
1.0.1
1.0.1
0.3.3
143.0.1
823393.0.1
792.0.1
5.0.1
582.0.1
CVE-2025-59088 describes a server-side request forgery (SSRF) vulnerability in kdcproxy. This flaw allows attackers to potentially probe internal network topology and exfiltrate data by exploiting how kdcproxy handles DNS SRV record queries when realm server addresses are undefined. The vulnerability affects versions 0.0 through 1.1.0 of kdcproxy and is resolved in version 1.1.0.
The SSRF vulnerability in kdcproxy arises from its default behavior of querying DNS SRV records when a request is made for a realm without defined server addresses. An attacker can leverage this by crafting requests for realms matching DNS zones where they control SRV records. These crafted SRV records can point to arbitrary hostnames and ports, potentially revealing internal IP addresses, firewall rules, and even allowing data exfiltration if internal services are exposed. This effectively allows an attacker to map the internal network and potentially access sensitive resources.
CVE-2025-59088 was publicly disclosed on 2025-11-12. The vulnerability's exploitation context is currently unclear, with no known active campaigns or public proof-of-concept exploits. Its inclusion in the KEV catalog is pending. The ease of exploitation depends on the attacker's ability to control DNS records within the targeted environment.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59088 is to upgrade kdcproxy to version 1.1.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing strict DNS filtering to prevent the resolution of malicious SRV records. Network segmentation can also limit the potential impact by isolating kdcproxy from sensitive internal resources. Additionally, review kdcproxy's configuration to ensure that realm server addresses are explicitly defined, eliminating the reliance on DNS SRV record queries. After upgrade, confirm by attempting a request for a non-existent realm and verifying that kdcproxy does not query DNS SRV records.
Update kdcproxy to version 1.1.0 or higher. Alternatively, explicitly configure the "use_dns" option to false in the configuration to prevent unwanted DNS queries. This will disable the vulnerable functionality and prevent exploitation of the SSRF vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59088 is a server-side request forgery vulnerability in kdcproxy versions 0.0–1.1.0, allowing attackers to probe internal networks via DNS SRV record manipulation.
You are affected if you are running kdcproxy versions 0.0 through 1.1.0 and have not yet upgraded to 1.1.0 or implemented mitigating controls.
Upgrade kdcproxy to version 1.1.0 or later. As a workaround, implement strict DNS filtering and network segmentation.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Refer to the official kdcproxy project's security advisories for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.