CVE-2025-58066
published 2025-08-29CVE-2025-58066: nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.31%
23.0th percentile
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | rust-ntpd | < rust-ntpd 1.6.2-1 (forky) | rust-ntpd 1.6.2-1 (forky) |
| pendulum-project | ntpd-rs | — | — |
| pendulum-project | ntpd-rs | >= 1.2.0 < 1.6.2 | 1.6.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
DoS Vulnerability in ntpd-rs
osv·2025-08-29
CVE-2025-58066 [MEDIUM] DoS Vulnerability in ntpd-rs
DoS Vulnerability in ntpd-rs
# Summary
A denial of service vulnerability was discovered in ntpd-rs where an attacker can induce a message storm between two NTP servers running ntpd-rs.
# Details
Since ntpd-rs version 1.2.0, when configured as a server, incorrectly responded to all NTP messages sent to the server's port with a time reply, including to responses from other servers. As a consequence, a message with a spoofed IP address of another server could cause two servers running ntpd-rs to continually respond to each other, consuming significant amounts of resources.
# Impact
Any time server running ntpd-rs with version between 1.2.0 and 1.6.1 inclusive which allows non-NTS traffic is affected. Client-only configurations are not affected. Affected users are recommended to upgrade
OSV
CVE-2025-58066: nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols
osv·2025-08-29·CVSS 5.3
CVE-2025-58066 [MEDIUM] CVE-2025-58066: nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
GHSA
DoS Vulnerability in ntpd-rs
ghsa·2025-08-29
CVE-2025-58066 [MEDIUM] CWE-406 DoS Vulnerability in ntpd-rs
DoS Vulnerability in ntpd-rs
# Summary
A denial of service vulnerability was discovered in ntpd-rs where an attacker can induce a message storm between two NTP servers running ntpd-rs.
# Details
Since ntpd-rs version 1.2.0, when configured as a server, incorrectly responded to all NTP messages sent to the server's port with a time reply, including to responses from other servers. As a consequence, a message with a spoofed IP address of another server could cause two servers running ntpd-rs to continually respond to each other, consuming significant amounts of resources.
# Impact
Any time server running ntpd-rs with version between 1.2.0 and 1.6.1 inclusive which allows non-NTS traffic is affected. Client-only configurations are not affected. Affected users are recommended to upgrade
Debian
CVE-2025-58066: rust-ntpd - nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP ...
vendor_debian·2025·CVSS 5.3
CVE-2025-58066 [MEDIUM] CVE-2025-58066: rust-ntpd - nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP ...
nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible.
Scope: local
forky: resolved (fixed in 1.6.2-1)
sid: resolved (fixed in 1.6.2-1)
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-08-29
Published