CVE-2025-11411: 
Unbound vulnerability analysis and mitigation

CVE-2025-11411 affects NLnet Labs Unbound up to and including version 1.24.0. The vulnerability was discovered and disclosed by researchers from Tsinghua University on October 22, 2025. The vulnerability allows possible domain hijack attacks through promiscuous NS RRSets that complement positive DNS replies in the authority section, which can be used to trick resolvers to update their delegation information for the zone (NVD, Unbound Advisory).

The vulnerability exists in the handling of NS RRSets in DNS replies. A malicious actor can exploit this by injecting NS RRSets and their respective address records in a reply through methods such as packet spoofing or fragmentation attacks. Unbound would proceed to update the NS RRSet data it already has since the new data has enough trust for it as in-zone data for the delegation point. The vulnerability has been assigned a CVSS v4.0 score of 5.7 (Medium) with vector CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P (NVD).

The vulnerability can lead to domain hijacking attacks where attackers can manipulate the resolver's delegation information for a zone. This affects the resolver's knowledge of the zone's name servers, potentially redirecting DNS queries to malicious servers (Unbound Advisory).

The vulnerability has been fixed in Unbound version 1.24.1, which includes a patch that scrubs unsolicited NS RRSets and their respective address records from replies. Users can either upgrade to version 1.24.1 or apply one of two available patches: a full patch that includes all updates including tests and documentation, or a minimal patch that only includes the necessary code changes (Unbound Advisory).