Primary

Context

PowerDNS Recursor ECS Spoofing Vulnerability

Vulnerability

Patched

A vulnerability exists in PowerDNS Recursor versions through 5.0.10, 5.1.4, and 5.2.2, when outgoing ECS (Extended Client Subnet) is enabled. This vulnerability allows attackers to spoof responses to ECS-enabled requests, with a higher success rate compared to non-ECS queries. The issue can lead to cache pollution.

Impact

Exploitation of this vulnerability can cause cache pollution in the affected PowerDNS Recursor instance.

Remediation

Users can upgrade to PowerDNS Recursor versions 5.0.12, 5.1.6, or 5.2.4, or disable outgoing ECS queries, which is the default setting.

Added: Jul 21, 2025, 1:17 PM

Updated: Jul 21, 2025, 1:17 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

7.0

remediation

8.3

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

7.0

remediation

8.3

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS Recursor ECS Spoofing Vulnerability

Vulnerability

Impact

Remediation

Affected Products

PowerDNS Recursor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating