Powerdns Recursor vulnerabilities
60 known vulnerabilities affecting powerdns/recursor.
Total CVEs
60
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH28MEDIUM29LOW1
Vulnerabilities
Page 1 of 3
CVE-2023-50387P3HIGHCVSS 7.5≥ 4.8.0, < 4.8.6≥ 4.9.0, < 4.9.3+1 more2024-02-14
CVE-2023-50387 [HIGH] CWE-770 CVE-2023-50387: Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow r
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an al
nvd
CVE-2023-50868P3HIGHCVSS 7.5fixed in 4.8.5≥ 4.9.0, < 4.9.3+1 more2024-02-14
CVE-2023-50868 [HIGH] CWE-400 CVE-2023-50868: The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iter
nvd
CVE-2015-1868P3HIGHCVSS 7.8v3.5v3.5.1+7 more2015-05-18
CVE-2015-1868 [HIGH] CWE-399 CVE-2015-1868: The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x befo
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a name that refers to itself.
nvd
CVE-2020-10030P2HIGHCVSS 8.8≥ 4.1.0, ≤ 4.3.02020-05-19
CVE-2020-10030 [HIGH] CWE-125 CVE-2020-10030: An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker (with enough privileges to change the system's hostname) to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not have '\0' termination of the returned string if the
nvd
CVE-2018-16855P3HIGHCVSS 7.5fixed in 4.1.82018-12-03
CVE-2018-16855 [HIGH] CWE-125 CVE-2018-16855: An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a
An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a packet cache lookup, possibly leading to a crash.
nvd
CVE-2017-15120P3HIGHCVSS 7.5fixed in 4.0.82018-07-27
CVE-2017-15120 [HIGH] CWE-476 CVE-2017-15120: An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, l
An issue has been found in the parsing of authoritative answers in PowerDNS Recursor before 4.0.8, leading to a NULL pointer dereference when parsing a specially crafted answer containing a CNAME of a different class than IN. An unauthenticated remote attacker could cause a denial of service.
nvd
CVE-2009-4009P3CRITICALCVSS 10.0≤ 3.1.7.2v2.0_rc1+16 more2010-01-08
CVE-2009-4009 [CRITICAL] CWE-119 CVE-2009-4009: Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote attackers to cause a denial of ser
Buffer overflow in PowerDNS Recursor before 3.1.7.2 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted packets.
nvd
CVE-2014-8601P3MEDIUMCVSS 5.0≤ 3.6.12014-12-10
CVE-2014-8601 [MEDIUM] CWE-399 CVE-2014-8601: PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to
PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals, as demonstrated by resolving domains hosted by ezdns.it.
nvd
CVE-2016-7068P3HIGHCVSS 7.5fixed in 3.7.4≥ 4.0.0, < 4.0.42018-09-11
CVE-2016-7068 [HIGH] CWE-20 CVE-2016-7068: An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and
An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 3.7.4 and 4.0.4, allowing a remote, unauthenticated attacker to cause an abnormal CPU usage load on the PowerDNS server by sending crafted DNS queries, which might result in a partial denial of service if the system becomes overloaded. This issue is based on the fact
nvd
CVE-2025-59023P3HIGHCVSS 8.2≥ 5.1.0, < 5.1.8≥ 5.2.0, < 5.2.6+1 more2026-02-09
CVE-2025-59023 [HIGH] CWE-294 CVE-2025-59023: Crafted delegations or IP fragments can poison cached delegations in Recursor.
Crafted delegations or IP fragments can poison cached delegations in Recursor.
nvd
CVE-2026-33612P3HIGHCVSS 7.5≥ 5.2.0, < 5.2.11≥ 5.3.0, < 5.3.8+1 more2026-06-25
CVE-2026-33612 [HIGH] CWE-349 CVE-2026-33612: A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
nvd
CVE-2019-3807P3CRITICALCVSS 9.8≥ 4.1.0, ≤ 4.1.82019-01-29
CVE-2019-3807 [CRITICAL] CWE-345 CVE-2019-3807: An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer
An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not properly validated, allowing an attacker to bypass DNSSEC validation.
nvd
CVE-2022-27227P3HIGHCVSS 7.5fixed in 4.4.8≥ 4.5.0, < 4.5.8+1 more2022-03-25
CVE-2022-27227 [HIGH] CVE-2022-27227: In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerD
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful transfers.
nvd
CVE-2009-4010P3HIGHCVSS 7.5≤ 3.1.7.2v2.0_rc1+16 more2010-01-08
CVE-2009-4010 [HIGH] CVE-2009-4010: Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows remote attackers to spoof DNS d
Unspecified vulnerability in PowerDNS Recursor before 3.1.7.2 allows remote attackers to spoof DNS data via crafted zones.
nvd
CVE-2020-12244P3HIGHCVSS 7.5≥ 4.1.0, ≤ 4.3.02020-05-19
CVE-2020-12244 [HIGH] CWE-347 CVE-2020-12244: An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer, allowing an attacker to bypass DNSSEC validation.
nvd
CVE-2023-22617P3HIGHCVSS 7.5v4.8.02023-01-21
CVE-2023-22617 [HIGH] CWE-674 CVE-2023-22617: A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS que
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1.
nvd
CVE-2020-25829P3HIGHCVSS 7.5fixed in 4.1.18≥ 4.2.0, < 4.2.5+1 more2020-10-16
CVE-2020-25829 [HIGH] CVE-2020-25829: An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. A remote attacker can cause the cached records for a given name to be updated to the Bogus DNSSEC validation state, instead of their actual DNSSEC Secure state, via a DNS ANY query. This results in a denial of service for installation that always validate (
nvd
CVE-2006-4251P3HIGHCVSS 7.5≤ 3.1.3v2.0_rc1+10 more2006-11-14
CVE-2006-4251 [HIGH] CVE-2006-4251: Buffer overflow in PowerDNS Recursor 3.1.3 and earlier might allow remote attackers to execute arbit
Buffer overflow in PowerDNS Recursor 3.1.3 and earlier might allow remote attackers to execute arbitrary code via a malformed TCP DNS query that prevents Recursor from properly calculating the TCP DNS query length.
nvd
CVE-2026-33256P3HIGHCVSS 7.5≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33256 [HIGH] CWE-770 CVE-2026-33256: An attacker can send a web request that causes unlimited memory allocation in the internal web serve
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
nvd
CVE-2026-33260P3HIGHCVSS 7.5≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33260 [HIGH] CWE-770 CVE-2026-33260: An attacker can send a web request that causes unlimited memory allocation in the internal web serve
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
nvd
1 / 3Next →