cbcvebase.
CVE-2025-5994
published 2025-07-16

CVE-2025-5994: A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound…

PriorityP345high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRUVCREXUX
EPSS
0.19%
8.6th percentile
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianunbound< unbound 1.17.1-2+deb12u3 (bookworm)unbound 1.17.1-2+deb12u3 (bookworm)
msrcazl3_unbound_1.19.1-4_on_azure_linux_3.0
msrccbl2_unbound_1.19.1-3_on_cbl_mariner_2.0
nlnet_labsunbound>= 1.6.2 < 1.23.01.23.0
nlnetlabsunbound>= 0 < 1.13.1-1+deb11u51.13.1-1+deb11u5
nlnetlabsunbound>= 0 < 1.17.1-2+deb12u31.17.1-2+deb12u3
nlnetlabsunbound>= 0 < 1.22.0-21.22.0-2
nlnetlabsunbound>= 0 < 1.22.0-21.22.0-2

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_msrc8.7HIGH
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.