CVE-2025-58066: 
Rust vulnerability analysis and mitigation

CVE-2025-58066 affects ntpd-rs, a tool for synchronizing computer clocks that implements NTP and NTS protocols. The vulnerability was discovered in versions between 1.2.0 and 1.6.1 inclusive, specifically affecting servers that allow non-NTS traffic. The issue was disclosed on August 29, 2025, and was reported by Eric Sesterhenn from X41 D-Sec GmbH (GitHub Advisory).

The vulnerability stems from an implementation flaw where ntpd-rs servers incorrectly respond to all NTP messages sent to the server's port with a time reply, including responses from other servers. This behavior has been present since version 1.2.0. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability can lead to a denial of service condition where an attacker can induce a message storm between two NTP servers running ntpd-rs. By using spoofed IP addresses, an attacker can cause two servers to continually respond to each other, consuming significant amounts of resources. Client-only configurations are not affected by this vulnerability (GitHub Advisory).

The primary mitigation is to upgrade to version 1.6.2. For cases where immediate upgrading is not possible, several workarounds are available: whitelisting access to only client IP addresses using the ignore filter method, blocking incoming non-request traffic on the NTP server port using a firewall, disabling public access to the vulnerable NTP server, or disabling the server functionality by removing any [server] sections from the configuration (GitHub Advisory).