CVE-2025-58063: 
Wolfi vulnerability analysis and mitigation

CoreDNS is a DNS server that chains plugins. A TTL confusion vulnerability (CVE-2025-58063) was discovered in the CoreDNS etcd plugin affecting versions 1.2.0 through 1.12.4, where lease IDs are incorrectly used as TTL values. The vulnerability was discovered and reported by thevilledev, with a fix released in version 1.12.4 (GitHub Advisory).

The vulnerability exists in the TTL() function within plugin/etcd/etcd.go, where 64-bit etcd lease IDs are incorrectly cast to uint32 and used as TTL values. Large lease IDs become very large TTLs when cast to uint32, which can result in DNS records being cached for extremely long periods. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (GitHub Advisory).

The vulnerability enables DNS cache pinning attacks that can effectively create a denial of service condition for DNS resolution of affected services. Even after fixing or deleting the affected keys, downstream resolvers and clients may continue to use cached answers until their caches expire or enforce their own TTL caps. This primarily affects availability as service changes may be ignored for extended periods, with a secondary impact on integrity as stale/incorrect answers can persist abnormally long (GitHub Advisory).

The vulnerability has been fixed in CoreDNS version 1.12.4. The fix includes utilizing etcd's Lease API to determine proper TTL for leased records and adding configurable limits (min-lease-ttl and max-lease-ttl) to clamp potentially extreme TTL values. Organizations should upgrade to version 1.12.4 or later to address this vulnerability (GitHub Advisory, GitHub Commit).