CVE-2025-5994
Cache poisoning via the ECS-enabled Rebirthday Attack
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Cache poisoning via the ECS-enabled Rebirthday Attack
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Reserved 2025-06-11 | Published 2025-07-16 | Updated 2025-07-16 | Assigner NLnet LabsCompiled and configured for ECS support
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
| 2025-01-02: | Issue reported by Xiang Li |
| 2025-01-03: | Issue acknowledged by NLnet Labs |
| 2025-01-08: | Mitigation shared with Xiang Li |
| 2025-07-16: | Fix released with Unbound 1.23.1 (coordinated with other vendors) |
Xiang Li (AOSP Lab, Nankai University)
nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt
Support options
