Vulnerability-Lookup

OPENSUSE-SU-2026:20099-1

Vulnerability from csaf_opensuse - Published: 2026-01-24 09:09 - Updated: 2026-01-24 09:09

Summary

Security update for coredns

Notes

Title of the patch

Security update for coredns

Description of the patch

This update for coredns fixes the following issues: Changes in coredns: - fix CVE-2025-68156 bsc#1255345 - fix CVE-2025-68161 bsc#1256411 - Update to version 1.14.0: * core: Fix gosec G115 integer overflow warnings * core: Add regex length limit * plugin/azure: Fix slice init length * plugin/errors: Add optional show_first flag to consolidate directive * plugin/file: Fix for misleading SOA parser warnings * plugin/kubernetes: Rate limits to api server * plugin/metrics: Implement plugin chain tracking * plugin/sign: Report parser err before missing SOA * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7 - Update to version 1.13.2: * core: Add basic support for DoH3 * core: Avoid proxy unnecessary alloc in Yield * core: Fix usage of sync.Pool to save an alloc * core: Fix data race with sync.RWMutex for uniq * core: Prevent QUIC reload panic by lazily initializing the listener * core: Refactor/use reflect.TypeFor * plugin/auto: Limit regex length * plugin/cache: Remove superfluous allocations in item.toMsg * plugin/cache: Isolate metadata in prefetch goroutine * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages * plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy * plugin/file: Performance finetuning * plugin/forward: Disallow NOERROR in failover * plugin/forward: Added support for per-nameserver TLS SNI * plugin/forward: Prevent busy loop on connection err * plugin/forward: Add max connect attempts knob * plugin/geoip: Add ASN schema support * plugin/geoip: Add support for subdivisions * plugin/kubernetes: Fix kubernetes plugin logging * plugin/multisocket: Cap num sockets to prevent OOM * plugin/nomad: Support service filtering * plugin/rewrite: Pre-compile CNAME rewrite regexp * plugin/secondary: Fix reload causing secondary plugin goroutine to leak - Update to version 1.13.1: * core: Avoid string concatenation in loops * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes * plugin/sign: Reject invalid UTF‑8 dbfile token - Update to version 1.13.0: * core: Export timeout values in dnsserver.Server * core: Fix Corefile infinite loop on unclosed braces * core: Fix Corefile related import cycle issue * core: Normalize panics on invalid origins * core: Rely on dns.Server.ShutdownContext to gracefully stop * plugin/dnstap: Add bounds for plugin args * plugin/file: Fix data race in tree Elem.Name * plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes * plugin/grpc: Enforce DNS message size limits * plugin/loop: Prevent panic when ListenHosts is empty * plugin/loop: Avoid panic on invalid server block * plugin/nomad: Add a Nomad plugin * plugin/reload: Prevent SIGTERM/reload deadlock - fix CVE-2025-58063 bsc#1249389 - Update to version 1.12.4: * bump deps * fix(transfer): goroutine leak on axfr err (#7516) * plugin/etcd: fix import order for ttl test (#7515) * fix(grpc): check proxy list length in policies (#7512) * fix(https): propagate HTTP request context (#7491) * fix(plugin): guard nil lookups across plugins (#7494) * lint: add missing prealloc to backend lookup test (#7510) * fix(grpc): span leak on error attempt (#7487) * test(plugin): improve backend lookup coverage (#7496) * lint: enable prealloc (#7493) * lint: enable durationcheck (#7492) * Add Sophotech to adopters list (#7495) * plugin: Use %w to wrap user error (#7489) * fix(metrics): add timeouts to metrics HTTP server (#7469) * chore(ci): restrict token permissions (#7470) * chore(ci): pin workflow dependencies (#7471) * fix(forward): use netip package for parsing (#7472) * test(plugin): improve test coverage for pprof (#7473) * build(deps): bump github.com/go-viper/mapstructure/v2 (#7468) * plugin/file: fix label offset problem in ClosestEncloser (#7465) * feat(trace): migrate dd-trace-go v1 to v2 (#7466) * test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438) * chore: update Go version to 1.24.6 (#7437) * plugin/header: Remove deprecated syntax (#7436) * plugin/loadbalance: support prefer option (#7433) * Improve caddy.GracefulServer conformance checks (#7416) - Update to version 1.12.3: * chore: Minor changes to `Dockerfile` (#7428) * Properly create hostname from IPv6 (#7431) * Bump deps * fix: handle cached connection closure in forward plugin (#7427) * plugin/test: fix TXT record comparison for multi-chunk vs multiple records * plugin/file: preserve case in SRV record names and targets per RFC 6763 * fix(auto/file): return REFUSED when no next plugin is available (#7381) * Port to AWS Go SDK v2 (#6588) * fix(cache): data race when refreshing cached messages (#7398) * fix(cache): data race when updating the TTL of cached messages (#7397) * chore: fix docs incompatibility (#7390) * plugin/rewrite: Add EDNS0 Unset Action (#7380) * add args: startup_timeout for kubernetes plugin (#7068) * [plugin/cache] create a copy of a response to ensure original data is never modified * Add support for fallthrough to the grpc plugin (#7359) * view: Add IPv6 example match (#7355) * chore: enable more rules from revive (#7352) * chore: enable early-return and superfluous-else from revive (#7129) * test(plugin): improve tests for auto (#7348) * fix(proxy): flaky dial tests (#7349) * test: add t.Helper() calls to test helper functions (#7351) * fix(kubernetes): multicluster DNS race condition (#7350) * lint: enable wastedassign linter (#7340) * test(plugin): add tests for any (#7341) * Actually invoke make release -f Makefile.release during test (#7338) * Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337) * lint: enable protogetter linter (#7336) * lint: enable nolintlint linter (#7332) * fix: missing intrange lint fix (#7333) * perf(kubernetes): optimize AutoPath slice allocation (#7323) * lint: enable intrange linter (#7331) * feat(plugin/file): fallthrough (#7327) * lint: enable canonicalheader linter (#7330) * fix(proxy): avoid Dial hang after Transport stopped (#7321) * test(plugin): add tests for pkg/rand (#7320) * test(dnsserver): add unit tests for gRPC and QUIC servers (#7319) * fix: loop variable capture and linter (#7328) * lint: enable usetesting linter (#7322) * test: skip certain network-specific tests on non-Linux (#7318) * test(dnsserver): improve core/dnsserver test coverage (#7317) * fix(metrics): preserve request size from plugins (#7313) * fix: ensure DNS query name reset in plugin.NS error path (#7142) * feat: enable plugins via environment during build (#7310) * fix(plugin/bind): remove zone for link-local IPv4 (#7295) * test(request): improve coverage across package (#7307) * test(coremain): Add unit tests (#7308) * ci(test-e2e): add Go version setup to workflow (#7309) * kubernetes: add multicluster support (#7266) * chore: Add new maintainer thevilledev (#7298) * Update golangci-lint (#7294) * feat: limit concurrent DoQ streams and goroutines (#7296) * docs: add man page for multisocket plugin (#7297) * Prepare for the k8s api upgrade (#7293) * fix(rewrite): truncated upstream response (#7277) * fix(plugin/secondary): make transfer property mandatory (#7249) * plugin/bind: remove macOS bug mention in docs (#7250) * Remove `?bla=foo:443` for `POST` DoH (#7257) * Do not interrupt querying readiness probes for plugins (#6975) * Added `SetProxyOptions` function for `forward` plugin (#7229) - Backported quic-go PR #5094: Fix parsing of ifindex from packets to ensure compatibility with big-endian architectures (see quic-go/quic-go#4978, coredns/coredns#6682). - Update to version 1.12.1: * core: Increase CNAME lookup limit from 7 to 10 (#7153) * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set * plugin/kubernetes: Revert "only create PTR records for endpoints with hostname defined" * plugin/forward: added option failfast_all_unhealthy_upstreams to return servfail if all upstreams are down * bump dependencies, fixing bsc#1239294 and bsc#1239728 - Update to version 1.12.0: * New multisocket plugin - allows CoreDNS to listen on multiple sockets * bump deps - Update to version 1.11.4: * forward plugin: new option next, to try alternate upstreams when receiving specified response codes upstreams on (functions like the external plugin alternate) * dnssec plugin: new option to load keys from AWS Secrets Manager * rewrite plugin: new option to revert EDNS0 option rewrites in responses - Update to version 1.11.3+git129.387f34d: * fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991) build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955) * core: set cache-control max-age as integer, not float (#6764) * Issue-6671: Fixed the order of plugins. (#6729) * `root`: explicit mark `dnssec` support (#6753) * feat: dnssec load keys from AWS Secrets Manager (#6618) * fuzzing: fix broken oss-fuzz build (#6880) * Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863) * Update .go-version to 1.23.2 (#6920) * plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893) * Added OpenSSF Scorecard Badge (#6738) * fix(cwd): Restored backwards compatibility of Current Workdir (#6731) * fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705) * feature: log queue and buffer memory size configuration (#6591) * plugin/bind: add zone for link-local IPv6 instead of skipping (#6547) * only create PTR records for endpoints with hostname defined (#6898) * fix: reverter should execute the reversion in reversed order (#6872) * plugin/etcd: fix etcd connection leakage when reload (#6646) * kubernetes: Add useragent (#6484) * Update build (#6836) * Update grpc library use (#6826) * Bump go version from 1.21.11 to 1.21.12 (#6800) * Upgrade antonmedv/expr to expr-lang/expr (#6814) * hosts: add hostsfile as label for coredns_hosts_entries (#6801) * fix TestCorefile1 panic for nil handling (#6802)

Patchnames

openSUSE-Leap-16.0-packagehub-87

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for coredns",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for coredns fixes the following issues:\n\nChanges in coredns:\n\n- fix CVE-2025-68156 bsc#1255345\n- fix CVE-2025-68161 bsc#1256411\n- Update to version 1.14.0:\n  * core: Fix gosec G115 integer overflow warnings\n  * core: Add regex length limit\n  * plugin/azure: Fix slice init length\n  * plugin/errors: Add optional show_first flag to consolidate directive\n  * plugin/file: Fix for misleading SOA parser warnings\n  * plugin/kubernetes: Rate limits to api server\n  * plugin/metrics: Implement plugin chain tracking\n  * plugin/sign: Report parser err before missing SOA\n  * build(deps): bump github.com/expr-lang/expr from 1.17.6 to 1.17.7\n\n- Update to version 1.13.2:\n  * core: Add basic support for DoH3\n  * core: Avoid proxy unnecessary alloc in Yield\n  * core: Fix usage of sync.Pool to save an alloc\n  * core: Fix data race with sync.RWMutex for uniq\n  * core: Prevent QUIC reload panic by lazily initializing the listener\n  * core: Refactor/use reflect.TypeFor\n  * plugin/auto: Limit regex length\n  * plugin/cache: Remove superfluous allocations in item.toMsg\n  * plugin/cache: Isolate metadata in prefetch goroutine\n  * plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil\n    packages\n  * plugin/dnstap: Better error handling (redial \u0026 logging) when Dnstap is busy\n  * plugin/file: Performance finetuning\n  * plugin/forward: Disallow NOERROR in failover\n  * plugin/forward: Added support for per-nameserver TLS SNI\n  * plugin/forward: Prevent busy loop on connection err\n  * plugin/forward: Add max connect attempts knob\n  * plugin/geoip: Add ASN schema support\n  * plugin/geoip: Add support for subdivisions\n  * plugin/kubernetes: Fix kubernetes plugin logging\n  * plugin/multisocket: Cap num sockets to prevent OOM\n  * plugin/nomad: Support service filtering\n  * plugin/rewrite: Pre-compile CNAME rewrite regexp\n  * plugin/secondary: Fix reload causing secondary plugin goroutine to leak\n\n- Update to version 1.13.1:\n  * core: Avoid string concatenation in loops\n  * core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes\n  * plugin/sign: Reject invalid UTF\u20118 dbfile token\n\n- Update to version 1.13.0:\n  * core: Export timeout values in dnsserver.Server\n  * core: Fix Corefile infinite loop on unclosed braces\n  * core: Fix Corefile related import cycle issue\n  * core: Normalize panics on invalid origins\n  * core: Rely on dns.Server.ShutdownContext to gracefully stop\n  * plugin/dnstap: Add bounds for plugin args\n  * plugin/file: Fix data race in tree Elem.Name\n  * plugin/forward: No failover to next upstream when receiving SERVFAIL or\n    REFUSED response codes\n  * plugin/grpc: Enforce DNS message size limits\n  * plugin/loop: Prevent panic when ListenHosts is empty\n  * plugin/loop: Avoid panic on invalid server block\n  * plugin/nomad: Add a Nomad plugin\n  * plugin/reload: Prevent SIGTERM/reload deadlock\n\n- fix CVE-2025-58063 bsc#1249389\n- Update to version 1.12.4:\n  * bump deps\n  * fix(transfer): goroutine leak on axfr err (#7516)\n  * plugin/etcd: fix import order for ttl test (#7515)\n  * fix(grpc): check proxy list length in policies (#7512)\n  * fix(https): propagate HTTP request context (#7491)\n  * fix(plugin): guard nil lookups across plugins (#7494)\n  * lint: add missing prealloc to backend lookup test (#7510)\n  * fix(grpc): span leak on error attempt (#7487)\n  * test(plugin): improve backend lookup coverage (#7496)\n  * lint: enable prealloc (#7493)\n  * lint: enable durationcheck (#7492)\n  * Add Sophotech to adopters list (#7495)\n  * plugin: Use %w to wrap user error (#7489)\n  * fix(metrics): add timeouts to metrics HTTP server (#7469)\n  * chore(ci): restrict token permissions (#7470)\n  * chore(ci): pin workflow dependencies (#7471)\n  * fix(forward): use netip package for parsing (#7472)\n  * test(plugin): improve test coverage for pprof (#7473)\n  * build(deps): bump github.com/go-viper/mapstructure/v2 (#7468)\n  * plugin/file: fix label offset problem in ClosestEncloser (#7465)\n  * feat(trace): migrate dd-trace-go v1 to v2 (#7466)\n  * test(multisocket): deflake restart by using a fresh port and coordinated cleanup (#7438)\n  * chore: update Go version to 1.24.6 (#7437)\n  * plugin/header: Remove deprecated syntax (#7436)\n  * plugin/loadbalance: support prefer option (#7433)\n  * Improve caddy.GracefulServer conformance checks (#7416)\n\n- Update to version 1.12.3:\n  * chore: Minor changes to `Dockerfile` (#7428)\n  * Properly create hostname from IPv6 (#7431)\n  * Bump deps\n  * fix: handle cached connection closure in forward plugin (#7427)\n  * plugin/test: fix TXT record comparison for multi-chunk vs multiple records\n  * plugin/file: preserve case in SRV record names and targets per RFC 6763\n  * fix(auto/file): return REFUSED when no next plugin is available (#7381)\n  * Port to AWS Go SDK v2 (#6588)\n  * fix(cache): data race when refreshing cached messages (#7398)\n  * fix(cache): data race when updating the TTL of cached messages (#7397)\n  * chore: fix docs incompatibility (#7390)\n  * plugin/rewrite: Add EDNS0 Unset Action (#7380)\n  * add args: startup_timeout for kubernetes plugin (#7068)\n  * [plugin/cache] create a copy of a response to ensure original data is never\n     modified\n  * Add support for fallthrough to the grpc plugin (#7359)\n  * view: Add IPv6 example match (#7355)\n  * chore: enable more rules from revive (#7352)\n  * chore: enable early-return and superfluous-else from revive (#7129)\n  * test(plugin): improve tests for auto (#7348)\n  * fix(proxy): flaky dial tests (#7349)\n  * test: add t.Helper() calls to test helper functions (#7351)\n  * fix(kubernetes): multicluster DNS race condition (#7350)\n  * lint: enable wastedassign linter (#7340)\n  * test(plugin): add tests for any (#7341)\n  * Actually invoke make release -f Makefile.release during test (#7338)\n  * Keep golang to 1.24.2 due to build issues in 1.24.3 (#7337)\n  * lint: enable protogetter linter (#7336)\n  * lint: enable nolintlint linter (#7332)\n  * fix: missing intrange lint fix (#7333)\n  * perf(kubernetes): optimize AutoPath slice allocation (#7323)\n  * lint: enable intrange linter (#7331)\n  * feat(plugin/file): fallthrough (#7327)\n  * lint: enable canonicalheader linter (#7330)\n  * fix(proxy): avoid Dial hang after Transport stopped (#7321)\n  * test(plugin): add tests for pkg/rand (#7320)\n  * test(dnsserver): add unit tests for gRPC and QUIC servers (#7319)\n  * fix: loop variable capture and linter (#7328)\n  * lint: enable usetesting linter (#7322)\n  * test: skip certain network-specific tests on non-Linux (#7318)\n  * test(dnsserver): improve core/dnsserver test coverage (#7317)\n  * fix(metrics): preserve request size from plugins (#7313)\n  * fix: ensure DNS query name reset in plugin.NS error path (#7142)\n  * feat: enable plugins via environment during build (#7310)\n  * fix(plugin/bind): remove zone for link-local IPv4 (#7295)\n  * test(request): improve coverage across package (#7307)\n  * test(coremain): Add unit tests (#7308)\n  * ci(test-e2e): add Go version setup to workflow (#7309)\n  * kubernetes: add multicluster support (#7266)\n  * chore: Add new maintainer thevilledev (#7298)\n  * Update golangci-lint (#7294)\n  * feat: limit concurrent DoQ streams and goroutines (#7296)\n  * docs: add man page for multisocket plugin (#7297)\n  * Prepare for the k8s api upgrade (#7293)\n  * fix(rewrite): truncated upstream response (#7277)\n  * fix(plugin/secondary): make transfer property mandatory (#7249)\n  * plugin/bind: remove macOS bug mention in docs (#7250)\n  * Remove `?bla=foo:443` for `POST` DoH (#7257)\n  * Do not interrupt querying readiness probes for plugins (#6975)\n  * Added `SetProxyOptions` function for `forward` plugin (#7229)\n\n-  Backported quic-go PR #5094: Fix parsing of ifindex from packets\n   to ensure compatibility with big-endian architectures\n   (see quic-go/quic-go#4978, coredns/coredns#6682).\n\n- Update to version 1.12.1:\n  * core: Increase CNAME lookup limit from 7 to 10 (#7153)\n  * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set\n  * plugin/kubernetes: Revert \"only create PTR records for endpoints with\n    hostname defined\"\n  * plugin/forward: added option failfast_all_unhealthy_upstreams to return\n    servfail if all upstreams are down\n  * bump dependencies, fixing bsc#1239294 and bsc#1239728\n\n- Update to version 1.12.0:\n  * New multisocket plugin - allows CoreDNS to listen on multiple sockets\n  * bump deps\n\n- Update to version 1.11.4:\n  * forward plugin: new option next, to try alternate upstreams when receiving\n    specified response codes upstreams on (functions like the external plugin\n    alternate)\n  * dnssec plugin: new option to load keys from AWS Secrets Manager\n  * rewrite plugin: new option to revert EDNS0 option rewrites in responses\n\n- Update to version 1.11.3+git129.387f34d:\n  * fix CVE-2024-51744 (https://bugzilla.suse.com/show_bug.cgi?id=1232991)\n    build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955)\n  * core: set cache-control max-age as integer, not float (#6764)\n  * Issue-6671: Fixed the order of plugins. (#6729)\n  * `root`: explicit mark `dnssec` support (#6753)\n  * feat: dnssec load keys from AWS Secrets Manager (#6618)\n  * fuzzing: fix broken oss-fuzz build (#6880)\n  * Replace k8s.io/utils/strings/slices by Go stdlib slices (#6863)\n  * Update .go-version to 1.23.2 (#6920)\n  * plugin/rewrite: Add \"revert\" parameter for EDNS0 options (#6893)\n  * Added OpenSSF Scorecard Badge (#6738)\n  * fix(cwd): Restored backwards compatibility of Current Workdir (#6731)\n  * fix: plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)\n  * feature: log queue and buffer memory size configuration (#6591)\n  * plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)\n  * only create PTR records for endpoints with hostname defined (#6898)\n  * fix: reverter should execute the reversion in reversed order (#6872)\n  * plugin/etcd: fix etcd connection leakage when reload (#6646)\n  * kubernetes: Add useragent (#6484)\n  * Update build (#6836)\n  * Update grpc library use (#6826)\n  * Bump go version from 1.21.11 to 1.21.12 (#6800)\n  * Upgrade antonmedv/expr to expr-lang/expr (#6814)\n  * hosts: add hostsfile as label for coredns_hosts_entries (#6801)\n  * fix TestCorefile1 panic for nil handling (#6802)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Leap-16.0-packagehub-87",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_20099-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1239294",
        "url": "https://bugzilla.suse.com/1239294"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1239728",
        "url": "https://bugzilla.suse.com/1239728"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1249389",
        "url": "https://bugzilla.suse.com/1249389"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1255345",
        "url": "https://bugzilla.suse.com/1255345"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1256411",
        "url": "https://bugzilla.suse.com/1256411"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-51744 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-51744/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-58063 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-58063/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68156 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68156/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-68161 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-68161/"
      }
    ],
    "title": "Security update for coredns",
    "tracking": {
      "current_release_date": "2026-01-24T09:09:32Z",
      "generator": {
        "date": "2026-01-24T09:09:32Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:20099-1",
      "initial_release_date": "2026-01-24T09:09:32Z",
      "revision_history": [
        {
          "date": "2026-01-24T09:09:32Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.0-bp160.1.1.aarch64",
                "product": {
                  "name": "coredns-1.14.0-bp160.1.1.aarch64",
                  "product_id": "coredns-1.14.0-bp160.1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-extras-1.14.0-bp160.1.1.noarch",
                "product": {
                  "name": "coredns-extras-1.14.0-bp160.1.1.noarch",
                  "product_id": "coredns-extras-1.14.0-bp160.1.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.0-bp160.1.1.ppc64le",
                "product": {
                  "name": "coredns-1.14.0-bp160.1.1.ppc64le",
                  "product_id": "coredns-1.14.0-bp160.1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.0-bp160.1.1.x86_64",
                "product": {
                  "name": "coredns-1.14.0-bp160.1.1.x86_64",
                  "product_id": "coredns-1.14.0-bp160.1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 16.0",
                "product": {
                  "name": "openSUSE Leap 16.0",
                  "product_id": "openSUSE Leap 16.0"
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.0-bp160.1.1.aarch64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64"
        },
        "product_reference": "coredns-1.14.0-bp160.1.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.0-bp160.1.1.ppc64le as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le"
        },
        "product_reference": "coredns-1.14.0-bp160.1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.0-bp160.1.1.x86_64 as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64"
        },
        "product_reference": "coredns-1.14.0-bp160.1.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-extras-1.14.0-bp160.1.1.noarch as component of openSUSE Leap 16.0",
          "product_id": "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
        },
        "product_reference": "coredns-extras-1.14.0-bp160.1.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 16.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-51744",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-51744"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-51744",
          "url": "https://www.suse.com/security/cve/CVE-2024-51744"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1232936 for CVE-2024-51744",
          "url": "https://bugzilla.suse.com/1232936"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-24T09:09:32Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-51744"
    },
    {
      "cve": "CVE-2025-58063",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-58063"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a DoS condition for DNS resolution of affected services. The `TTL()` function in `plugin/etcd/etcd.go` incorrectly casts etcd lease IDs (64-bit integers) to uint32 and uses them as TTL values. Large lease IDs become very large TTLs when cast to uint32. This enables cache pinning attacks. Version 1.12.4 contains a fix for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-58063",
          "url": "https://www.suse.com/security/cve/CVE-2025-58063"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1249389 for CVE-2025-58063",
          "url": "https://bugzilla.suse.com/1249389"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-24T09:09:32Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-58063"
    },
    {
      "cve": "CVE-2025-68156",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68156"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the\nevaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68156",
          "url": "https://www.suse.com/security/cve/CVE-2025-68156"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255330 for CVE-2025-68156",
          "url": "https://bugzilla.suse.com/1255330"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-24T09:09:32Z",
          "details": "important"
        }
      ],
      "title": "CVE-2025-68156"
    },
    {
      "cve": "CVE-2025-68161",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-68161"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  configuration attribute or the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u0027s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
          "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
          "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-68161",
          "url": "https://www.suse.com/security/cve/CVE-2025-68161"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1255427 for CVE-2025-68161",
          "url": "https://bugzilla.suse.com/1255427"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.aarch64",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.ppc64le",
            "openSUSE Leap 16.0:coredns-1.14.0-bp160.1.1.x86_64",
            "openSUSE Leap 16.0:coredns-extras-1.14.0-bp160.1.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-24T09:09:32Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-68161"
    }
  ]
}

CVE-2025-58063 (GCVE-0-2025-58063)

Vulnerability from cvelistv5 – Published: 2025-09-09 19:27 – Updated: 2025-09-10 14:26

Title

CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion

Summary

CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a DoS condition for DNS resolution of affected services. The `TTL()` function in `plugin/etcd/etcd.go` incorrectly casts etcd lease IDs (64-bit integers) to uint32 and uses them as TTL values. Large lease IDs become very large TTLs when cast to uint32. This enables cache pinning attacks. Version 1.12.4 contains a fix for the issue.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE

CWE-681 - Incorrect Conversion between Numeric Types

Assigner

GitHub_M

References

URL

Tags

	https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM
	https://github.com/coredns/coredns/commit/e1768a5…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	coredns	coredns	Affected: >= 1.2.0, < 1.12.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-58063",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T14:26:10.971285Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T14:26:13.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.0, \u003c 1.12.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a DoS condition for DNS resolution of affected services. The `TTL()` function in `plugin/etcd/etcd.go` incorrectly casts etcd lease IDs (64-bit integers) to uint32 and uses them as TTL values. Large lease IDs become very large TTLs when cast to uint32. This enables cache pinning attacks. Version 1.12.4 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-681",
              "description": "CWE-681: Incorrect Conversion between Numeric Types",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T19:27:18.124Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-93mf-426m-g6x9"
        },
        {
          "name": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf"
        }
      ],
      "source": {
        "advisory": "GHSA-93mf-426m-g6x9",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-58063",
    "datePublished": "2025-09-09T19:27:18.124Z",
    "dateReserved": "2025-08-22T14:30:32.222Z",
    "dateUpdated": "2025-09-10T14:26:13.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-68161 (GCVE-0-2025-68161)

Vulnerability from cvelistv5 – Published: 2025-12-18 20:47 – Updated: 2026-01-20 00:13

Title

Apache Log4j Core: Missing TLS hostname verification in Socket appender

Summary

The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true. This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions: * The attacker is able to intercept or redirect network traffic between the client and the log receiver. * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured). Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue. As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-297 - Improper Validation of Certificate with Host Mismatch

Assigner

apache

References

URL

Tags

	https://github.com/apache/logging-log4j2/pull/4002	patch
	https://logging.apache.org/security.html#CVE-2025-68161	vendor-advisory
	https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
	https://logging.apache.org/log4j/2.x/manual/syste…	related
	https://logging.apache.org/log4j/2.x/manual/appen…	related
	https://lists.apache.org/thread/xr33kyxq3sl67lwb6…	vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Log4j Core	Affected: 2.0-beta9 , < 2.25.3 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven)

Credits

Samuli Leinonen

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68161",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-18T21:34:24.735166Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-18T21:46:19.782Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-20T00:13:44.911Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/12/18/1"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00015.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.3",
              "status": "affected",
              "version": "2.0-beta9",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuli Leinonen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe Socket Appender in Apache Log4j Core versions \u003ccode\u003e2.0-beta9\u003c/code\u003e through \u003ccode\u003e2.25.2\u003c/code\u003e does not perform TLS hostname verification of the peer certificate, even when the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName\"\u003everifyHostName\u003c/a\u003e configuration attribute or the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName\"\u003elog4j2.sslVerifyHostName\u003c/a\u003e system property is set to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe attacker is able to intercept or redirect network traffic between the client and the log receiver.\u003c/li\u003e\u003cli\u003eThe attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured \u003cstrong\u003etrust store\u003c/strong\u003e (or by the default Java trust store if no custom trust store is configured).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core version \u003ccode\u003e2.25.3\u003c/code\u003e, which addresses this issue.\u003c/p\u003e\u003cp\u003eAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.\u003c/p\u003e"
            }
          ],
          "value": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  configuration attribute or the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n  *  The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n  *  The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-297",
              "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-19T06:45:03.886Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4002"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2025-68161"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Log4j Core: Missing TLS hostname verification in Socket appender",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-68161",
    "datePublished": "2025-12-18T20:47:49.123Z",
    "dateReserved": "2025-12-16T11:30:53.875Z",
    "dateUpdated": "2026-01-20T00:13:44.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-68156 (GCVE-0-2025-68156)

Vulnerability from cvelistv5 – Published: 2025-12-16 18:24 – Updated: 2025-12-16 19:59

Title

Expr has Denial of Service via Unbounded Recursion in Builtin Functions

Summary

Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the evaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/expr-lang/expr/security/adviso…	x_refsource_CONFIRM
	https://github.com/expr-lang/expr/pull/870	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	expr-lang	expr	Affected: < 1.17.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-68156",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T19:58:48.969218Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T19:59:24.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "expr",
          "vendor": "expr-lang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.17.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Expr is an expression language and expression evaluation for Go. Prior to version 1.17.7, several builtin functions in Expr, including `flatten`, `min`, `max`, `mean`, and `median`, perform recursive traversal over user-provided data structures without enforcing a maximum recursion depth. If the evaluation environment contains deeply nested or cyclic data structures, these functions may recurse indefinitely until exceed the Go runtime stack limit. This results in a stack overflow panic, causing the host application to crash. While exploitability depends on whether an attacker can influence or inject cyclic or pathologically deep data into the\nevaluation environment, this behavior represents a denial-of-service (DoS) risk and affects overall library robustness. Instead of returning a recoverable evaluation error, the process may terminate unexpectedly. In affected versions, evaluation of expressions that invoke certain builtin functions on untrusted or insufficiently validated data structures can lead to a process-level crash due to stack exhaustion. This issue is most relevant in scenarios where Expr is used to evaluate expressions against externally supplied or dynamically constructed environments; cyclic references (directly or indirectly) can be introduced into arrays, maps, or structs; and there are no application-level safeguards preventing deeply nested input data. In typical use cases with controlled, acyclic data, the issue may not manifest. However, when present, the resulting panic can be used to reliably crash the application, constituting a denial of service. The issue has been fixed in the v1.17.7 versions of Expr. The patch introduces a maximum recursion depth limit for affected builtin functions. When this limit is exceeded, evaluation aborts gracefully and returns a descriptive error instead of panicking. Additionally, the maximum depth can be customized by users via `builtin.MaxDepth`, allowing applications with legitimate deep structures to raise the limit in a controlled manner. Users are strongly encouraged to upgrade to the patched release, which includes both the recursion guard and comprehensive test coverage to prevent regressions. For users who cannot immediately upgrade, some mitigations are recommended. Ensure that evaluation environments cannot contain cyclic references, validate or sanitize externally supplied data structures before passing them to Expr, and/or wrap expression evaluation with panic recovery to prevent a full process crash (as a last-resort defensive measure). These workarounds reduce risk but do not fully eliminate the issue without the patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-16T18:24:11.648Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/expr-lang/expr/security/advisories/GHSA-cfpf-hrx2-8rv6"
        },
        {
          "name": "https://github.com/expr-lang/expr/pull/870",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/expr-lang/expr/pull/870"
        }
      ],
      "source": {
        "advisory": "GHSA-cfpf-hrx2-8rv6",
        "discovery": "UNKNOWN"
      },
      "title": "Expr has Denial of Service via Unbounded Recursion in Builtin Functions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-68156",
    "datePublished": "2025-12-16T18:24:11.648Z",
    "dateReserved": "2025-12-15T23:02:17.604Z",
    "dateUpdated": "2025-12-16T19:59:24.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-51744 (GCVE-0-2024-51744)

Vulnerability from cvelistv5 – Published: 2024-11-04 21:47 – Updated: 2024-11-05 16:11

Title

Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt

Summary

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

Severity ?

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-755 - Improper Handling of Exceptional Conditions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/golang-jwt/jwt/security/adviso…	x_refsource_CONFIRM
	https://github.com/golang-jwt/jwt/commit/7b1c1c00…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	golang-jwt	jwt	Affected: < 4.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51744",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-05T16:11:29.522504Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T16:11:42.243Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jwt",
          "vendor": "golang-jwt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T21:47:12.170Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r"
        },
        {
          "name": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"
        }
      ],
      "source": {
        "advisory": "GHSA-29wx-vh33-7x7r",
        "discovery": "UNKNOWN"
      },
      "title": "Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51744",
    "datePublished": "2024-11-04T21:47:12.170Z",
    "dateReserved": "2024-10-31T14:12:45.789Z",
    "dateUpdated": "2024-11-05T16:11:42.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:20099-1

CVE-2025-58063 (GCVE-0-2025-58063)

CVE-2025-68161 (GCVE-0-2025-68161)

CVE-2025-68156 (GCVE-0-2025-68156)

CVE-2024-51744 (GCVE-0-2024-51744)

Tags

Sightings

Nomenclature