CVE-2025-30192 HIGH

CVE-2025-30192: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

Weakness CWE-345
Published July 21, 2025
Last update July 21, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled.

Key dates

02Disclosure timeline

July 21, 2025 CVE published
July 21, 2025 Record updated