CVE-2025-59030
published 2025-12-09CVE-2025-59030: An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.49%
38.1th percentile
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pdns-recursor | < pdns-recursor 5.3.3-1 (forky) | pdns-recursor 5.3.3-1 (forky) |
| powerdns | recursor | >= 5.1.0 < 5.1.9 | 5.1.9 |
| powerdns | recursor | >= 5.2.0 < 5.2.7 | 5.2.7 |
| powerdns | recursor | >= 5.3.0 < 5.3.3 | 5.3.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-59030: An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP
osv·2025-12-09·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030: An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
GHSA
GHSA-646x-553g-6v9h: An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP
ghsa_unreviewed·2025-12-09
CVE-2025-59030 [HIGH] CWE-276 GHSA-646x-553g-6v9h: An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
Debian
CVE-2025-59030: pdns-recursor - An attacker can trigger the removal of cached records by sending a NOTIFY query ...
vendor_debian·2025·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030: pdns-recursor - An attacker can trigger the removal of cached records by sending a NOTIFY query ...
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 5.3.3-1)
sid: resolved (fixed in 5.3.3-1)
trixie: resolved (fixed in 5.2.7-0+deb13u1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [epel-8]
bugzilla·2025-12-09·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [epel-8]
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [epel-8]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
---
This package has changed maintainer in Fedora. Reassigni
Bugzilla
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-43]
bugzilla·2025-12-09·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-43]
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-9c582575e5 (pdns-recursor-5.2.8-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-9c582575e
Bugzilla
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-42]
bugzilla·2025-12-09·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-42]
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
FEDORA-2026-2490896a5d (pdns-recursor-5.2.8-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-2490896a5
Bugzilla
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [epel-9]
bugzilla·2025-12-09·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [epel-9]
CVE-2025-59030 pdns-recursor: Insufficient validation of incoming notifies over TCP can lead to a denial of service [epel-9]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
---
This package has changed maintainer in Fedora. Reassigni
Wiz
CVE-2025-59030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-59030 [HIGH] CVE-2025-59030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59030 :
Linux Debian vulnerability analysis and mitigation
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Linux Debian
Linux Alpine
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pdns-recursor
Sources
NVD
Alpine 3.22, 3.23 Severity HIGH Has Fix Added at: Dec 14, 2025
Alpine edge Severity HIGH Has Fix Added at: Dec 09, 2025
Debian 11, 12 Severity HIGH No Fix Added at: Dec 09, 2025
Debian 13, 14 Severity HIGH Has Fix Added at: Dec 09, 2025
Echo Seve
2025-12-09
Published