Platform
python
Component
kdcproxy
Opgelost in
1.1.0
1.0.1
1.0.1
0.3.3
143.0.1
823393.0.1
792.0.1
5.0.1
582.0.1
CVE-2025-59088 describes a server-side request forgery (SSRF) vulnerability in kdcproxy. This flaw allows attackers to potentially probe internal network topology and exfiltrate data by exploiting how kdcproxy handles DNS SRV record queries when realm server addresses are undefined. The vulnerability affects versions 0.0 through 1.1.0 of kdcproxy and is resolved in version 1.1.0.
The SSRF vulnerability in kdcproxy arises from its default behavior of querying DNS SRV records when a request is made for a realm without defined server addresses. An attacker can leverage this by crafting requests for realms matching DNS zones where they control SRV records. These crafted SRV records can point to arbitrary hostnames and ports, potentially revealing internal IP addresses, firewall rules, and even allowing data exfiltration if internal services are exposed. This effectively allows an attacker to map the internal network and potentially access sensitive resources.
CVE-2025-59088 was publicly disclosed on 2025-11-12. The vulnerability's exploitation context is currently unclear, with no known active campaigns or public proof-of-concept exploits. Its inclusion in the KEV catalog is pending. The ease of exploitation depends on the attacker's ability to control DNS records within the targeted environment.
Organizations deploying kdcproxy in environments with exposed internal services or where DNS records are not tightly controlled are at increased risk. Shared hosting environments where multiple users share DNS infrastructure are particularly vulnerable, as an attacker could potentially manipulate SRV records to affect other tenants.
• linux / server: Monitor kdcproxy logs for unusual DNS queries, particularly those involving SRV records. Use journalctl -u kdcproxy to filter for DNS-related entries.
journalctl -u kdcproxy | grep 'DNS SRV record'• generic web: Use curl to test for SSRF by attempting to access internal services through kdcproxy.
curl http://<kdcproxy_ip>/realm/internal_service• generic web: Examine access logs for requests to unusual or unexpected internal endpoints.
disclosure
Exploit Status
EPSS
0.08% (23% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-59088 is to upgrade kdcproxy to version 1.1.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing strict DNS filtering to prevent the resolution of malicious SRV records. Network segmentation can also limit the potential impact by isolating kdcproxy from sensitive internal resources. Additionally, review kdcproxy's configuration to ensure that realm server addresses are explicitly defined, eliminating the reliance on DNS SRV record queries. After upgrade, confirm by attempting a request for a non-existent realm and verifying that kdcproxy does not query DNS SRV records.
Werk kdcproxy bij naar versie 1.1.0 of hoger. Alternatief, configureer de optie "use_dns" expliciet op false in de configuratie om ongewenste DNS-query's te voorkomen. Dit schakelt de kwetsbare functionaliteit uit en voorkomt de exploitatie van de SSRF-kwetsbaarheid.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-59088 is a server-side request forgery vulnerability in kdcproxy versions 0.0–1.1.0, allowing attackers to probe internal networks via DNS SRV record manipulation.
You are affected if you are running kdcproxy versions 0.0 through 1.1.0 and have not yet upgraded to 1.1.0 or implemented mitigating controls.
Upgrade kdcproxy to version 1.1.0 or later. As a workaround, implement strict DNS filtering and network segmentation.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Refer to the official kdcproxy project's security advisories for the most up-to-date information and guidance.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.