CVE-2025-59029 – This vulnerability allows an attacker to cause ... (How to Fix)

Q: What is the severity of CVE-2025-59029?

CVE-2025-59029 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows an attacker to cause a denial-of-service by triggering an assertion failure in PowerDNS Recursor. Attackers can craft DNS records, wait for them to be cached, then send ANY queries to crash the service. This affects PowerDNS Recursor installations with default configurations.

📋 TL;DR

This vulnerability allows an attacker to cause a denial-of-service by triggering an assertion failure in PowerDNS Recursor. Attackers can craft DNS records, wait for them to be cached, then send ANY queries to crash the service. This affects PowerDNS Recursor installations with default configurations.

💻 Affected Systems

Products:

PowerDNS Recursor

Versions: 4.9.0 through 4.9.5

Operating Systems: All operating systems running PowerDNS Recursor

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability is triggered when ANY queries are processed against specially crafted cached records.

📦 What is this software?

Recursor by Powerdns

View all CVEs affecting Recursor →

Recursor by Powerdns

View all CVEs affecting Recursor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of DNS resolution for all clients relying on the affected PowerDNS Recursor instance, requiring manual restart.

🟠

Likely Case

Intermittent service disruptions and crashes of the PowerDNS Recursor daemon, leading to DNS resolution failures.

🟢

If Mitigated

Minimal impact with proper monitoring and automated restart mechanisms in place.

🌐 Internet-Facing: HIGH - DNS servers are typically internet-facing and directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal DNS servers could be targeted by compromised internal systems or malicious insiders.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires two-step process: first inserting crafted records into cache, then sending ANY queries. No authentication required as DNS queries are typically unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.6

Vendor Advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html

Restart Required: Yes

Instructions:

1. Download PowerDNS Recursor 4.9.6 from official repositories. 2. Stop the recursor service. 3. Install the updated package. 4. Start the recursor service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Disable ANY query processing

all

Configure PowerDNS Recursor to reject or ignore ANY queries to prevent exploitation

Add 'any-to-tc=yes' to recursor.conf

Rate limit ANY queries

all

Implement rate limiting on ANY queries to reduce attack surface

Add 'max-queries-per-zone=100' and 'max-cache-entries=1000000' to recursor.conf

🧯 If You Can't Patch

Implement network-level filtering to block ANY queries from untrusted sources
Deploy monitoring and automated restart scripts to detect and recover from crashes

🔍 How to Verify

Check if Vulnerable:

Check PowerDNS Recursor version with 'rec_control version' or 'pdns_recursor --version'

Check Version:

rec_control version

Verify Fix Applied:

Verify version is 4.9.6 or higher and test ANY query functionality

📡 Detection & Monitoring

Log Indicators:

Assertion failures in logs
Service crash/restart messages
High volume of ANY queries

Network Indicators:

Spike in ANY query traffic
DNS resolution failures from monitoring

SIEM Query:

source="powerdns" AND ("assertion" OR "crash" OR "ANY query")

📊 Metadata

CVE ID: CVE-2025-59029

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-617

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: December 9, 2025

Last Updated: February 19, 2026

🔗 References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-07.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59029, you might also want to check these: