CVE-2025-25188: Hickory DNS's DNSSEC validation may accept broken authentication chains

February 10, 2025

The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to authenticate other records in the zone. There is a second variant of this vulnerability involving DS records, where an authenticated DS record covering one DNSKEY leads to trust in signatures made by an unrelated DNSKEY in the same zone.

References

github.com/advisories/GHSA-37wc-h8xc-5hc4
github.com/hickory-dns/hickory-dns
github.com/hickory-dns/hickory-dns/security/advisories/GHSA-37wc-h8xc-5hc4
nvd.nist.gov/vuln/detail/CVE-2025-25188

Code Behaviors & Features

Detect and mitigate CVE-2025-25188 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →