CVE-2025-59088: 
Rocky Linux vulnerability analysis and mitigation

CVE-2025-59088 is a Server-Side Request Forgery (SSRF) vulnerability discovered in python-kdcproxy. The vulnerability was disclosed on November 12, 2025, affecting kdcproxy when it receives a request for a realm without defined server addresses in its configuration. By default, it queries SRV records in the DNS zone matching the requested realm name (NVD).

The vulnerability occurs because kdcproxy allows DNS discovery for any requested realm by querying SRV records from the DNS zone matching the realm name. An attacker could send a request for a realm matching a DNS zone where they created SRV records pointing to arbitrary ports and hostnames, which may resolve to loopback or internal IP addresses. The vulnerability has been assigned a CVSS 3.1 base score of 8.6 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (Red Hat).

This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. The attacker could direct requests to any IP addresses, including loopback and internal network addresses, allowing for network reconnaissance and potential data theft (GitHub PR).

The vulnerability has been patched by restricting DNS discovery of KDCs to realms explicitly declared in the configuration only. Support for wildcard realm sections (e.g., [*EXAMPLE.COM]) has been added to handle realm hierarchies. Deployments where the 'usedns' setting is explicitly set to false are not affected. The previous unsafe behavior can be restored using the dnsrealm_discovery setting if needed (GitHub PR).