Plateforme
python
Composant
kdcproxy
Corrigé dans
1.1.0
1.0.1
1.0.1
0.3.3
143.0.1
823393.0.1
792.0.1
5.0.1
582.0.1
CVE-2025-59088 describes a server-side request forgery (SSRF) vulnerability in kdcproxy. This flaw allows attackers to potentially probe internal network topology and exfiltrate data by exploiting how kdcproxy handles DNS SRV record queries when realm server addresses are undefined. The vulnerability affects versions 0.0 through 1.1.0 of kdcproxy and is resolved in version 1.1.0.
The SSRF vulnerability in kdcproxy arises from its default behavior of querying DNS SRV records when a request is made for a realm without defined server addresses. An attacker can leverage this by crafting requests for realms matching DNS zones where they control SRV records. These crafted SRV records can point to arbitrary hostnames and ports, potentially revealing internal IP addresses, firewall rules, and even allowing data exfiltration if internal services are exposed. This effectively allows an attacker to map the internal network and potentially access sensitive resources.
CVE-2025-59088 was publicly disclosed on 2025-11-12. The vulnerability's exploitation context is currently unclear, with no known active campaigns or public proof-of-concept exploits. Its inclusion in the KEV catalog is pending. The ease of exploitation depends on the attacker's ability to control DNS records within the targeted environment.
Organizations deploying kdcproxy in environments with exposed internal services or where DNS records are not tightly controlled are at increased risk. Shared hosting environments where multiple users share DNS infrastructure are particularly vulnerable, as an attacker could potentially manipulate SRV records to affect other tenants.
• linux / server: Monitor kdcproxy logs for unusual DNS queries, particularly those involving SRV records. Use journalctl -u kdcproxy to filter for DNS-related entries.
journalctl -u kdcproxy | grep 'DNS SRV record'• generic web: Use curl to test for SSRF by attempting to access internal services through kdcproxy.
curl http://<kdcproxy_ip>/realm/internal_service• generic web: Examine access logs for requests to unusual or unexpected internal endpoints.
disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 23%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-59088 is to upgrade kdcproxy to version 1.1.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing strict DNS filtering to prevent the resolution of malicious SRV records. Network segmentation can also limit the potential impact by isolating kdcproxy from sensitive internal resources. Additionally, review kdcproxy's configuration to ensure that realm server addresses are explicitly defined, eliminating the reliance on DNS SRV record queries. After upgrade, confirm by attempting a request for a non-existent realm and verifying that kdcproxy does not query DNS SRV records.
Mettez à jour kdcproxy à la version 1.1.0 ou supérieure. Alternativement, configurez explicitement l'option "use_dns" à false dans la configuration pour éviter les requêtes DNS non désirées. Cela désactivera la fonctionnalité vulnérable et empêchera l'exploitation de la vulnérabilité SSRF.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-59088 is a server-side request forgery vulnerability in kdcproxy versions 0.0–1.1.0, allowing attackers to probe internal networks via DNS SRV record manipulation.
You are affected if you are running kdcproxy versions 0.0 through 1.1.0 and have not yet upgraded to 1.1.0 or implemented mitigating controls.
Upgrade kdcproxy to version 1.1.0 or later. As a workaround, implement strict DNS filtering and network segmentation.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Refer to the official kdcproxy project's security advisories for the most up-to-date information and guidance.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.