A critical flaw in CoreDNS’s etcd plugin can let attackers pin DNS records in caches for years, effectively blocking legitimate updates.
This vulnerability, tracked as CVE-2025-58063, stems from incorrect handling of etcd lease IDs. It affects every CoreDNS release from version 1.2.0 onward and was patched in version 1.12.4, as per a report by Researcher in Github.
Security teams should urgently update and review TTL settings to prevent long-term cache poisoning.
Vulnerability Details
The vulnerability arises in the plugin/etcd/etcd.go file, where the TTL() function mistakenly casts a 64-bit lease ID into a 32-bit unsigned integer.
Lease IDs are meant as opaque identifiers, not duration values. When the code treats the truncated ID as the TTL, it can produce extremely large values.
| CVE ID | Vulnerability | Affected Versions | Patched Version | Severity |
| CVE-2025-58063 | DNS Cache Pinning via etcd Lease ID Confusion | ≥1.2.0 | 1.12.4 | High |
An attacker with write access to etcd can attach any lease to a DNS record, causing CoreDNS to serve entries with TTLs measured in decades.
Downstream resolvers without strict TTL caps will cache records indefinitely, ignoring subsequent updates or deletions.
An attacker first obtains write privileges to the etcd backend. This can occur through misconfigured roles, exposed endpoints, or stolen service account credentials.
They then grant a lease—regardless of its actual duration—and write or update a DNS key under CoreDNS’s service discovery path. CoreDNS responds with the record and the bogus TTL.
Clients and resolvers keep the record until it expires naturally or until the resolver enforces a hard cap. During this window, any legitimate update or rollback to the record is invisible to clients.
Service changes such as IP rotations, failovers, or emergency patches will be ignored, leading to prolonged disruption of DNS-based service discovery.
CoreDNS maintainers have fixed the issue in version 1.12.4 by querying etcd’s Lease API to retrieve actual lease durations and by introducing configurable TTL bounds.
Administrators should upgrade to the patched version immediately. In environments where immediate upgrades are impractical, teams should enforce TTL limits in DNS resolvers or gatekeeper proxies to clamp excessive values.
Regular audits of etcd permissions and rotation of service account credentials can further reduce the risk of unauthorized write access.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
