{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-5994","assignerOrgId":"206fc3a0-e175-490b-9eaa-a5738056c9f6","state":"PUBLISHED","assignerShortName":"NLnet Labs","dateReserved":"2025-06-11T09:08:05.767Z","datePublished":"2025-07-16T14:38:22.738Z","dateUpdated":"2025-11-03T18:13:56.352Z"},"containers":{"cna":{"title":"Cache poisoning via the ECS-enabled Rebirthday Attack","datePublic":"2025-07-16T00:00:00.000Z","affected":[{"vendor":"NLnet Labs","product":"Unbound","versions":[{"version":"1.6.2","status":"affected","lessThan":"1.23.0","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies."}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"Compiled and configured for ECS support"}],"cvssV4_0":{"version":"4.0","baseScore":8.7,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C"}}],"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-349","description":"CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data","type":"CWE"}]}],"solutions":[{"lang":"en","value":"This issue is fixed in 1.23.1 and all later versions. Not using EDNS Client Subnet (ECS) is also a mitigation for affected versions."}],"timeline":[{"time":"2025-01-02T00:00:00.000Z","lang":"en","value":"Issue reported by Xiang Li"},{"time":"2025-01-03T00:00:00.000Z","lang":"en","value":"Issue acknowledged by NLnet Labs"},{"time":"2025-01-08T00:00:00.000Z","lang":"en","value":"Mitigation shared with Xiang Li"},{"time":"2025-07-16T00:00:00.000Z","lang":"en","value":"Fix released with Unbound 1.23.1 (coordinated with other vendors)"}],"credits":[{"lang":"en","value":"Xiang Li (AOSP Lab, Nankai University)","type":"finder"}],"references":[{"url":"https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt","tags":["vendor-advisory"]}],"providerMetadata":{"orgId":"206fc3a0-e175-490b-9eaa-a5738056c9f6","shortName":"NLnet Labs","dateUpdated":"2025-07-16T14:38:22.738Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-07-16T15:42:14.147972Z","id":"CVE-2025-5994","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-07-16T15:42:18.657Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T18:13:56.352Z"}}]}}