Summary
DNSJava DNSSEC Bypass
Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.
Details
DNS Messages are not authenticated. They do not guarantee that
- received RRs are authentic
- not received RRs do not exist
- all or any received records in a response relate to the request
Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two.
To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)
- denote by
QNAMEthe name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases - if the ANSWER section contains a valid PTR RRSet for
QNAME, return it (and optionally return the list of aliases as well) - if the ANSWER section contains a valid CNAME RRSet for
QNAME, add it to the list of aliases. SetQNAMEto the CNAME's target and go to 2. - Verify that
QNAMEdoes not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Returnnull.
Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.
dnsjava does not implement a comparable algorithm, and the provided APIs instead return either
- the received DNS message itself (e.g. when using a ValidatingResolver such as in this example), or
- essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in this example)
If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can
- In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or
- completely exchange the relevant response records
Mitigations
At this point, the following mitigations are recommended:
- When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...).
- For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g.
LookupSession.lookupAsync. - Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.
Impact
DNS(SEC) libraries are usually used as part of a larger security framework.
Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request.
Here are three concrete examples of where this might be detrimental:
- RFC 6186 specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials.
- When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic.
- Some research projects like LIGHTest are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications.
CVE-2024-25638 has a CVSS score of 8.9 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (3.6.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-25638? CVE-2024-25638 is a high-severity security vulnerability in dnsjava:dnsjava (maven), affecting versions < 3.6.0. It is fixed in 3.6.0.
- How severe is CVE-2024-25638? CVE-2024-25638 has a CVSS score of 8.9 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of dnsjava:dnsjava are affected by CVE-2024-25638? dnsjava:dnsjava (maven) versions < 3.6.0 is affected.
- Is there a fix for CVE-2024-25638? Yes. CVE-2024-25638 is fixed in 3.6.0. Upgrade to this version or later.
- Is CVE-2024-25638 exploitable, and should I be worried? Whether CVE-2024-25638 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-25638 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-25638? Upgrade
dnsjava:dnsjavato 3.6.0 or later.