CVE-2025-30192: 
Linux Debian vulnerability analysis and mitigation

A security vulnerability (CVE-2025-30192) was discovered in PowerDNS Recursor affecting versions up to and including 5.0.10, 5.1.4, and 5.2.2, specifically when outgoing ECS (EDNS Client Subnet) is enabled. The vulnerability was disclosed on July 21, 2025, and was identified by Xiang Li of AOSP Lab Nankai University (PowerDNS Advisory).

The vulnerability relates to insufficient verification of data authenticity (CWE-345) in PowerDNS Recursor's handling of ECS-enabled queries. When the system is configured to send out ECS-enabled queries, it becomes more susceptible to spoofing attempts compared to non-ECS enabled queries. The vulnerability has received a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (PowerDNS Advisory).

The primary impact of this vulnerability is cache pollution, which can occur when an attacker successfully spoofs answers to ECS-enabled requests. The vulnerability affects the availability of the DNS service, though there is no risk of system compromise (PowerDNS Advisory).

The vulnerability has been patched in PowerDNS Recursor versions 5.0.12, 5.1.6, and 5.2.4. Organizations can either upgrade to these patched versions or disable outgoing ECS, which is the default configuration. The updated versions include various mitigations against spoofing attempts of ECS-enabled queries by implementing chain validation and enforcing stricter validation of received answers. Additional protection is available through the new setting 'outgoing.edns_subnet_harden' (or legacy name 'edns-subnet-harden') (PowerDNS Advisory).