2382334 – (CVE-2025-30192) CVE-2025-30192 pdns-recursor: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

Bug 2382334 (CVE-2025-30192) - CVE-2025-30192 pdns-recursor: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

Summary: CVE-2025-30192 pdns-recursor: A Recursor configured to send out ECS enabled q...

Keywords:
Status:	NEW
Alias:	CVE-2025-30192
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2382364 2382365 2382366 2382367
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-21 13:01 UTC by OSIDB Bzimport
Modified:	2025-07-21 20:01 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-21 13:01:30 UTC

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries.

The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers.

The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

Note You need to log in before you can comment on or make changes to this bug.