CVE-2025-5994: 
Unbound vulnerability analysis and mitigation

A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' was discovered in caching resolvers that support EDNS Client Subnet (ECS). The vulnerability affects Unbound versions 1.6.2 through 1.23.0 when compiled with ECS support and configured to send ECS information to upstream name servers. The vulnerability was discovered by Xiang Li from AOSP Lab, Nankai University, and was disclosed on July 16, 2025 (NLnet Labs).

The vulnerability occurs because resolvers supporting ECS need to segregate outgoing queries to accommodate different outgoing ECS information. This segregation re-opens resolvers to a birthday paradox attack that attempts to match the DNS transaction ID to cache non-ECS poisonous replies. The vulnerability specifically affects installations compiled with '--enable-subnet' and configured with at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options. The CVSS 4.0 base score is 8.7 HIGH with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/R:U/V:C (NVD).

The vulnerability enables malicious actors to perform cache poisoning attacks through a two-step process: first by sending queries that result in segregated ECS outbound traffic for a single domain, and then by sending non-ECS poisonous replies attempting to guess the DNS transaction ID before the legitimate answer arrives from the upstream name server (NLnet Labs).

A fix has been released in Unbound version 1.23.1 which disregards replies without ECS when ECS was expected and creates a non-ECS sub query that can be aggregated with other such queries to explicitly query for the non-ECS authoritative answer. The re-introduced query aggregation defeats the Rebirthday Attack. Users can either upgrade to Unbound 1.23.1 or apply a manual patch available at the NLnet Labs website (NLnet Labs).