CVE-2025-59088 - Vulnerability Details

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux Enterprise Linux Eus Rhel Aus Rhel E4s Rhel Eus Rhel Eus Long Life Rhel Tus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
python-kdcproxy-0:1.0.0-19.el10_1	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2025:21142	2025-11-12T00:00:00Z
Red Hat Enterprise Linux 10.0 Extended Update Support
python-kdcproxy-0:1.0.0-19.el10_0	cpe:/o:redhat:enterprise_linux_eus:10.0	RHSA-2025:21141	2025-11-12T00:00:00Z
Red Hat Enterprise Linux 8
idm:client-8100020251103113748.143e9e98	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:21140	2025-11-12T00:00:00Z
idm:DL1-8100020251028161822.823393f5	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:21140	2025-11-12T00:00:00Z
Red Hat Enterprise Linux 9
python-kdcproxy-0:1.0.0-9.el9_7	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:21139	2025-11-12T00:00:00Z
Red Hat Enterprise Linux 9.6 Extended Update Support
python-kdcproxy-0:1.0.0-9.el9_6	cpe:/a:redhat:rhel_eus:9.6	RHSA-2025:21138	2025-11-12T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:21138
https://access.redhat.com/errata/RHSA-2025:21139
https://access.redhat.com/errata/RHSA-2025:21140
https://access.redhat.com/errata/RHSA-2025:21141
https://access.redhat.com/errata/RHSA-2025:21142
https://access.redhat.com/errata/RHSA-2025:21448
https://access.redhat.com/errata/RHSA-2025:21748
https://access.redhat.com/errata/RHSA-2025:21806
https://access.redhat.com/errata/RHSA-2025:21818
https://access.redhat.com/errata/RHSA-2025:21819
https://access.redhat.com/errata/RHSA-2025:21820
https://access.redhat.com/errata/RHSA-2025:21821
https://access.redhat.com/security/cve/CVE-2025-59088
https://bugzilla.redhat.com/show_bug.cgi?id=2393955
https://github.com/latchset/kdcproxy/pull/68
https://nvd.nist.gov/vuln/detail/CVE-2025-59088
https://www.cve.org/CVERecord?id=CVE-2025-59088

History

Thu, 20 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus Long Life
CPEs		cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Vendors & Products		Redhat rhel Eus Long Life
References		https://access.redhat.com/errata/RHSA-2025:21820 https://access.redhat.com/errata/RHSA-2025:21821

Thu, 20 Nov 2025 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_tus:8.6::appstream cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products		Redhat rhel Aus Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:21818 https://access.redhat.com/errata/RHSA-2025:21819

Thu, 20 Nov 2025 08:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
References		https://access.redhat.com/errata/RHSA-2025:21806

Wed, 19 Nov 2025 08:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.4::appstream
References		https://access.redhat.com/errata/RHSA-2025:21748

Mon, 17 Nov 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s
CPEs		cpe:/a:redhat:rhel_e4s:9.2::appstream
Vendors & Products		Redhat rhel E4s
References		https://access.redhat.com/errata/RHSA-2025:21448

Thu, 13 Nov 2025 00:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_eus:9.6
References		https://nvd.nist.gov/vuln/detail/CVE-2025-59088 https://www.cve.org/CVERecord?id=CVE-2025-59088
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 12 Nov 2025 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux Eus Redhat rhel Eus
CPEs	cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:rhel_eus:9.6::appstream cpe:/o:redhat:enterprise_linux:10.1 cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products		Redhat enterprise Linux Eus Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:21138 https://access.redhat.com/errata/RHSA-2025:21139 https://access.redhat.com/errata/RHSA-2025:21140 https://access.redhat.com/errata/RHSA-2025:21141 https://access.redhat.com/errata/RHSA-2025:21142

Wed, 12 Nov 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 12 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Description		If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.
Title		Python-kdcproxy: unauthenticated ssrf via realm‑controlled dns srv
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-918
CPEs		cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-59088 https://bugzilla.redhat.com/show_bug.cgi?id=2393955 https://github.com/latchset/kdcproxy/pull/68
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-11-12T16:35:27.877Z

Updated: 2025-11-20T08:56:05.899Z

Reserved: 2025-09-08T21:43:30.845Z

Link: CVE-2025-59088

Vulnrichment

Updated: 2025-11-12T20:48:13.141Z

NVD

Status : Awaiting Analysis

Published: 2025-11-12T17:15:38.153

Modified: 2025-11-20T15:17:37.227

Link: CVE-2025-59088

Redhat

Severity : Important

Publid Date: 2025-11-12T00:00:00Z

Links: CVE-2025-59088 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object