CVE-2025-58063
📋 TL;DR
CoreDNS etcd plugin incorrectly uses etcd lease IDs as TTL values due to improper type casting, enabling DNS cache pinning attacks. This creates a denial-of-service condition for DNS resolution of affected services. Organizations running CoreDNS with etcd plugin enabled are affected.
💻 Affected Systems
- CoreDNS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can poison DNS caches with extremely long TTL values, causing permanent DNS resolution failures for critical services until cache expiration or manual intervention.
Likely Case
Targeted DNS cache poisoning leading to service disruption for specific domains, requiring cache clearing or TTL expiration to restore normal operation.
If Mitigated
Limited impact with proper network segmentation and monitoring, though DNS resolution delays may still occur for affected records.
🎯 Exploit Status
Exploitation requires network access to CoreDNS server and knowledge of etcd configuration. No authentication needed if CoreDNS is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.4
Vendor Advisory: https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9
Restart Required: Yes
Instructions:
1. Download CoreDNS 1.12.4 or later from official releases. 2. Replace existing CoreDNS binary with patched version. 3. Restart CoreDNS service. 4. Verify version with 'coredns -version'.
🔧 Temporary Workarounds
Disable etcd plugin
allRemove or comment out etcd plugin configuration from Corefile
# Edit Corefile and remove lines containing 'etcd'
Network segmentation
allRestrict access to CoreDNS etcd endpoints to trusted networks only
# Configure firewall rules to limit etcd port access
🧯 If You Can't Patch
- Implement strict network ACLs to limit etcd plugin access to trusted sources only
- Deploy DNS monitoring to detect abnormal TTL values and cache poisoning attempts
🔍 How to Verify
Check if Vulnerable:
Check CoreDNS version with 'coredns -version' and verify etcd plugin is enabled in Corefile configurationCheck Version:
coredns -versionVerify Fix Applied:
Confirm version is 1.12.4 or later with 'coredns -version' and test DNS resolution with etcd-backed records📡 Detection & Monitoring
Log Indicators:
- Unusually large TTL values in DNS responses
- Multiple failed DNS resolution attempts for etcd-backed records
Network Indicators:
- DNS queries with abnormally long TTL responses
- Increased DNS traffic to etcd endpoints
SIEM Query:
source="coredns" AND ("TTL" > 86400 OR "etcd" AND "error")