Powerdns Recursor vulnerabilities
60 known vulnerabilities affecting powerdns/recursor.
Total CVEs
60
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH28MEDIUM29LOW1
Vulnerabilities
Page 2 of 3
CVE-2026-33257P3HIGHCVSS 7.5≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33257 [HIGH] CWE-770 CVE-2026-33257: An attacker can send a web request that causes unlimited memory allocation in the internal web serve
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
nvd
CVE-2015-5470P3HIGHCVSS 7.8≤ 3.6.3v3.7.1+1 more2015-11-02
CVE-2015-5470 [HIGH] CVE-2015-5470: The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and A
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a denial of service (CPU consumption or crash) via a request with a long name that refers to itself. NOTE: this vulnerability exists because of an incomplete fix for C
nvd
CVE-2019-3806P3HIGHCVSS 8.1≥ 4.1.4, < 4.1.92019-01-29
CVE-2019-3806 [HIGH] CWE-358 CVE-2019-3806: An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are n
An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly bypassing security policies enforced using Lua.
nvd
CVE-2025-59030P3HIGHCVSS 7.5≥ 5.1.0, < 5.1.9≥ 5.2.0, < 5.2.7+1 more2025-12-09
CVE-2025-59030 [HIGH] CWE-276 CVE-2025-59030: An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.
nvd
CVE-2026-33258P3HIGHCVSS 7.5≥ 5.2.0, < 5.2.9≥ 5.3.0, < 5.3.6+2 more2026-04-22
CVE-2026-33258 [HIGH] CWE-770 CVE-2026-33258: By publishing and querying a crafted zone an attacker can cause allocation of large entries in the n
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
nvd
CVE-2020-10995P3HIGHCVSS 7.5≥ 4.1.0, ≤ 4.3.02020-05-19
CVE-2020-10995 [HIGH] CWE-400 CVE-2020-10995: PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplific
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the result
nvd
CVE-2018-10851P3HIGHCVSS 7.5≥ 3.2, ≤ 4.1.42018-11-29
CVE-2018-10851 [HIGH] CWE-400 CVE-2018-10851: PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excluding 4.1.5 and 4.0.9, are vulnerable to a memory leak while parsing malformed records that can lead to remote denial of service.
nvd
CVE-2024-25583P3HIGHCVSS 7.5v4.8.7v4.9.4+1 more2024-04-25
CVE-2024-25583 [HIGH] CWE-20 CVE-2024-25583: A crafted response from an upstream server the recursor has been configured to forward-recurse to ca
A crafted response from an upstream server the recursor has been configured to forward-recurse to can cause a Denial of Service in the Recursor. The default configuration of the Recursor does not use recursive forwarding and is not affected.
nvd
CVE-2025-30195P3HIGHCVSS 7.5v5.2.02025-04-07
CVE-2025-30195 [HIGH] CWE-476 CVE-2025-30195: An attacker can publish a zone containing specific Resource Record Sets. Processing and caching resu
An attacker can publish a zone containing specific Resource Record Sets. Processing and caching results for these sets can lead to an illegal memory accesses and crash of the Recursor, causing a denial of service.
The remedy is: upgrade to the patched 5.2.1 version.
We would like to thank Volodymyr Ilyin for bringing this issue to our attention.
nvd
CVE-2024-25590P3HIGHCVSS 7.5fixed in 4.9.9≥ 5.0.0, < 5.0.9+1 more2024-10-03
CVE-2024-25590 [HIGH] CWE-20 CVE-2024-25590: An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and
An attacker can publish a zone containing specific Resource Record Sets.
Repeatedly processing and caching results for these sets can lead to a
denial of service.
nvd
CVE-2025-59024P3MEDIUMCVSS 6.5≥ 5.1.0, < 5.1.8≥ 5.2.0, < 5.2.6+1 more2026-02-09
CVE-2025-59024 [MEDIUM] CWE-345 CVE-2025-59024: Crafted delegations or IP fragments can poison cached delegations in Recursor.
Crafted delegations or IP fragments can poison cached delegations in Recursor.
nvd
CVE-2018-14626P3HIGHCVSS 7.5≥ 4.0.0, ≤ 4.1.42018-11-29
CVE-2018-14626 [HIGH] CWE-400 CVE-2018-14626: PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 in
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of service.
nvd
CVE-2018-14644P4MEDIUMCVSS 5.9≥ 4.0.0, ≤ 4.1.42018-11-09
CVE-2018-14644 [MEDIUM] CWE-20 CVE-2018-14644: An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker
An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. A remote attacker sending a DNS query for a meta-type like OPT can lead to a zone being wrongly cached as failing DNSSEC validation. It only arises if the parent zone is signed, and all the authoritative servers for that parent zone answer with FORMERR to a query for a
nvd
CVE-2026-42387P4MEDIUMCVSS 5.9≥ 5.2.0, < 5.2.11≥ 5.3.0, < 5.3.8+1 more2026-06-25
CVE-2026-42387 [MEDIUM] CWE-20 CVE-2026-42387: A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
nvd
CVE-2022-37428P4MEDIUMCVSS 6.5≥ 4.5.0, < 4.5.10≥ 4.6.0, < 4.6.3+1 more2022-08-23
CVE-2022-37428 [MEDIUM] CWE-459 CVE-2022-37428: PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has
PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties.
nvd
CVE-2017-15094P4MEDIUMCVSS 5.9≥ 4.0.0, ≤ 4.0.62018-01-23
CVE-2017-15094 [MEDIUM] CWE-401 CVE-2017-15094: An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0.0 up to and includi
An issue has been found in the DNSSEC parsing code of PowerDNS Recursor from 4.0.0 up to and including 4.0.6 leading to a memory leak when parsing specially crafted DNSSEC ECDSA keys. These keys are only parsed when validation is enabled by setting dnssec to a value other than off or process-no-validate (default).
nvd
CVE-2016-7073P4MEDIUMCVSS 5.9fixed in 3.7.4≥ 4.0.0, < 4.0.42018-09-11
CVE-2016-7073 [MEDIUM] CWE-20 CVE-2016-7073: An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, all
An issue has been found in PowerDNS before 3.4.11 and 4.0.2, and PowerDNS recursor before 4.0.4, allowing an attacker in position of man-in-the-middle to alter the content of an AXFR because of insufficient validation of TSIG signatures. A missing check of the TSIG time and fudge values was found in AXFRRetriever, leading to a possible replay attack.
nvd
CVE-2017-15090P4MEDIUMCVSS 5.9≥ 4.0.0, ≤ 4.0.62018-01-23
CVE-2017-15090 [MEDIUM] CWE-347 CVE-2017-15090: An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to
An issue has been found in the DNSSEC validation component of PowerDNS Recursor from 4.0.0 and up to and including 4.0.6, where the signatures might have been accepted as valid even if the signed data was not in bailiwick of the DNSKEY used to sign it. This allows an attacker in position of man-in-the-middle to alter the content of records by issuin
nvd
CVE-2026-52690P4MEDIUMCVSS 5.9≥ 5.2.0, < 5.2.11≥ 5.3.0, < 5.3.8+1 more2026-06-25
CVE-2026-52690 [MEDIUM] CWE-290 CVE-2026-52690: Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, cau
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
nvd
CVE-2020-14196P4MEDIUMCVSS 5.3≤ 4.1.16≥ 4.2.0, ≤ 4.2.2+1 more2020-07-01
CVE-2020-14196 [MEDIUM] CWE-863 CVE-2020-14196: In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting acces
In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced.
nvd