DNS SSRF in MIT Kerberos kdcproxy
CVE-2025-59088 Published on November 12, 2025

Python-kdcproxy: unauthenticated ssrf via realm‑controlled dns srv
If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forgery vulnerability, since an attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where the "use_dns" setting is explicitly set to false are not affected.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2025-59088 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Timeline

2025-09-08

Reported to Red Hat.

2025-11-12

Made public. 65 days later.

Weakness Type

What is a SSRF Vulnerability?

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.

CVE-2025-59088 has been classified to as a SSRF vulnerability or weakness.

Products Associated with CVE-2025-59088

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)

Red Hat Enterprise Linux Eus

Red Hat Rhel Eus

Red Hat Rhel E4s

Red Hat Rhel Aus

Red Hat Rhel Eus Long Life

Red Hat Rhel Tus

Red Hat Rhel Els

Affected Versions

latchset kdcproxy:

Before 1.1.0 is affected.

Red Hat Enterprise Linux 10:

Version 0:1.0.0-19.el10_1 and below * is unaffected.

Red Hat Enterprise Linux 10.0 Extended Update Support:

Version 0:1.0.0-19.el10_0 and below * is unaffected.

Red Hat Enterprise Linux 7 Extended Lifecycle Support:

Version 0:0.3.2-3.el7_9.3 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 8100020251103113748.143e9e98 and below * is unaffected.

Red Hat Enterprise Linux 8:

Version 8100020251028161822.823393f5 and below * is unaffected.

Red Hat Enterprise Linux 8.2 Advanced Update Support:

Version 8020020251106022345.792f4060 and below * is unaffected.

Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support:

Version 8040020251103205102.5b01ab7e and below * is unaffected.

Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On:

Version 8040020251103205102.5b01ab7e and below * is unaffected.

Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support:

Version 8060020251030180424.ada582f1 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Telecommunications Update Service:

Version 8060020251030180424.ada582f1 and below * is unaffected.

Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions:

Version 8060020251030180424.ada582f1 and below * is unaffected.

Red Hat Enterprise Linux 8.8 Telecommunications Update Service:

Version 8080020251029082621.b0a6ceea and below * is unaffected.

Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions:

Version 8080020251029082621.b0a6ceea and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:1.0.0-9.el9_7 and below * is unaffected.

Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions:

Version 0:1.0.0-7.el9_0.1 and below * is unaffected.

Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions:

Version 0:1.0.0-7.el9_2.1 and below * is unaffected.

Red Hat Enterprise Linux 9.4 Extended Update Support:

Version 0:1.0.0-7.el9_4.1 and below * is unaffected.

Red Hat Enterprise Linux 9.6 Extended Update Support:

Version 0:1.0.0-9.el9_6 and below * is unaffected.

Exploit Probability

EPSS

0.07%

Percentile

19.94%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

DNS SSRF in MIT Kerberos kdcproxyCVE-2025-59088 Published on November 12, 2025

Vulnerability Analysis

Timeline

Weakness Type

What is a SSRF Vulnerability?

Products Associated with CVE-2025-59088

Affected Versions

Exploit Probability

DNS SSRF in MIT Kerberos kdcproxy
CVE-2025-59088 Published on November 12, 2025