Login Sign Up

CVE-2025-59030

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in PowerDNS Recursor allows attackers to trigger removal of cached DNS records by sending NOTIFY queries over TCP. This enables DNS cache poisoning attacks that could redirect users to malicious sites. Organizations running PowerDNS Recursor are affected.

💻 Affected Systems

Products:
  • PowerDNS Recursor
Versions: 4.9.0 through 4.9.6
Operating Systems: All platforms running PowerDNS Recursor
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PowerDNS Recursor, not Authoritative Server. Requires TCP connectivity to the recursor.

📦 What is this software?

Recursor by Powerdns

View all CVEs affecting Recursor →

Recursor by Powerdns

View all CVEs affecting Recursor →

Recursor by Powerdns

View all CVEs affecting Recursor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could poison DNS cache to redirect all users to malicious sites, enabling phishing, malware distribution, or credential theft across entire organizations.

🟠

Likely Case

Targeted DNS cache poisoning affecting specific domains, potentially redirecting users to phishing sites or intercepting sensitive communications.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though DNS resolution could still be temporarily disrupted.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the recursor's TCP port (typically 53).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.7

Vendor Advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html

Restart Required: Yes

Instructions:

1. Download PowerDNS Recursor 4.9.7 from official repository. 2. Stop the recursor service. 3. Install the updated package. 4. Start the recursor service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable TCP NOTIFY

all

Configure recursor to reject NOTIFY queries over TCP

Add 'tcp-notify=no' to recursor.conf

Restrict TCP Access

all

Limit TCP connections to trusted sources only

Configure firewall rules to restrict TCP/53 access

🧯 If You Can't Patch

  • Implement strict firewall rules to limit TCP access to PowerDNS Recursor from trusted sources only
  • Monitor DNS logs for unusual NOTIFY query patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check PowerDNS Recursor version: pdns_recursor --version

Check Version:

pdns_recursor --version | grep 'Version'

Verify Fix Applied:

Verify version is 4.9.7 or later and check configuration for tcp-notify setting

📡 Detection & Monitoring

Log Indicators:

  • Unusual NOTIFY query patterns
  • Multiple NOTIFY queries from single sources
  • Cache flush events

Network Indicators:

  • TCP connections to port 53 followed by NOTIFY queries
  • Unusual DNS response patterns

SIEM Query:

source="powerdns" AND (query_type="NOTIFY" OR message="cache.*flush")

📊 Metadata

CVE ID: CVE-2025-59030
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-276
EPSS Score: 0.01% exploit probability (0.7th percentile)
Published: December 9, 2025
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59030, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)