CVE-2025-58066: 
Rust vulnerability analysis and mitigation

CVE-2025-58066 affects ntpd-rs, a tool for synchronizing computer clocks that implements NTP and NTS protocols. The vulnerability was discovered and disclosed on August 29, 2025, affecting versions between 1.2.0 and 1.6.1 inclusive. The issue specifically impacts servers that allow non-NTS traffic, while client-only configurations remain unaffected (GitHub Advisory).

The vulnerability is classified as a denial of service issue with a CVSS v3.1 base score of 5.3 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The technical root cause stems from the server incorrectly responding to all NTP messages sent to the server's port with a time reply, including responses from other servers. This implementation flaw has been categorized under CWE-406 (Insufficient Control of Network Message Volume) (NVD, GitHub Advisory).

When exploited, the vulnerability allows an attacker to induce a message storm between two NTP servers running ntpd-rs. By using spoofed IP addresses, attackers can cause servers to continuously respond to each other, resulting in significant resource consumption (GitHub Advisory).

The primary mitigation is to upgrade to version 1.6.2. For cases where immediate upgrading isn't possible, several workarounds are available: whitelisting access to only client IP addresses using the ignore filter method, blocking incoming non-request traffic on the NTP server port via firewall, disabling public access to the vulnerable NTP server, or disabling the server functionality by removing [server] sections from the configuration (GitHub Advisory).

The vulnerability was discovered and reported by Eric Sesterhenn from X41 D-Sec GmbH, demonstrating active security research in the NTP implementation space (GitHub Advisory).