CVE-2025-59030 Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor

🗓️ 09 Dec 2025 09:15:43Reported by OXType

CVE-2025-59030: TCP NOTIFY validation flaw enables denial of service in Recursor.

Reporter	Title	Published	Views	Family All 28
FreeBSD	powerdns-recursor -- Denial of Service	8 Dec 202500:00	–	freebsd
AlpineLinux	CVE-2025-59030	9 Dec 202509:15	–	alpinelinux
Circl	CVE-2025-59030	9 Dec 202511:21	–	circl
CNNVD	PowerDNS Recursor 安全漏洞	9 Dec 202500:00	–	cnnvd
CVE	CVE-2025-59030	9 Dec 202509:15	–	cve
Debian	[SECURITY] [DSA 6077-1] pdns-recursor security update	10 Dec 202509:49	–	debian
Debian CVE	CVE-2025-59030	9 Dec 202509:15	–	debiancve
Tenable Nessus	Debian dsa-6077 : pdns-recursor - security update	10 Dec 202500:00	–	nessus
Tenable Nessus	Fedora 42 : pdns-recursor (2026-2490896a5d)	12 Apr 202600:00	–	nessus
Tenable Nessus	Fedora 43 : pdns-recursor (2026-9c582575e5)	13 Apr 202600:00	–	nessus

[
  {
    "collectionURL": "https://repo.powerdns.com/",
    "defaultStatus": "unaffected",
    "modules": [
      "TCP NOTIFY messages handler"
    ],
    "packageName": "pdns-recursor",
    "product": "Recursor",
    "programFiles": [
      "rec-tcp.cc"
    ],
    "repo": "https://github.com/PowerDNS/pdns",
    "vendor": "PowerDNS",
    "versions": [
      {
        "lessThan": "5.3.3",
        "status": "affected",
        "version": "5.3.0",
        "versionType": "semver"
      },
      {
        "lessThan": "5.2.7",
        "status": "affected",
        "version": "5.2.0",
        "versionType": "semver"
      },
      {
        "lessThan": "5.1.9",
        "status": "affected",
        "version": "5.1.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
docs	www.docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html

09 Dec 2025 09:15Current

CVSS 3.17.5

EPSS0.00486

CWE-276