Today we have released PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1.
These releases fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor:
PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor
CVE: CVE-2025-59023
Date: 15th October 2025
Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0
Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
Severity: High
Impact: Cache pollution
Exploit: This problem can be triggered by an attacker spoofing crafted delegations
Risk of system compromise: None
Solution: Upgrade to patched version
CVSS Score: 8.2, see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1
CVE: CVE-2025-59024
Date: 15th October 2025
Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0
Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
Severity: Medium
Impact: Cache pollution
Exploit: This problem can be triggered by an attacker using an UDP IP fragments attack
Risk of system compromise: None
Solution: Upgrade to patched version
CVSS Score: 6.5 see
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L&version=3.1
It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information. The malicious delegation information can be sent by an attacker spoofing packets.
The updated versions of the Recursor apply strict validation of the received delegation information from authoritative servers. In versions 5.2.6 and 5.3.1 the already existing validations are tightened further, while version 5.1.8 contains a full backport of the strict validations. Note that other vendors will release updated software to fix similar issues as well.
Please refer to the changelogs (5.1.8, 5.2.6 and 5.3.1) for additional details
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The tarballs (5.1.8, 5.2.6, 5.3.1) (with signature files 5.1.8, 5.2.6, 5.3.1) are available from our download server and packages for several distributions are available from our repository.
Recently we made changes to our Open Source End of Life policy. Older release trains are now supported for one year after the following major release. Consult the EOL policy for more details.
We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.
