GHSA-5FM9-H728-FWPJ

GHSA-5FM9-H728-FWPJ is a medium-severity security vulnerability in trust-dns-server (rust), affecting versions < 0.22.1. It is fixed in 0.22.1, 0.23.0-alpha.3.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

trust-dns vulnerable to Remote Attackers causing Denial-of-Service (packet loops) with crafted DNS packets

trust-dns and trust-dns-server are vulnerable to remotely triggered denial-of-service attacks, consuming both network and CPU resources.
DNS messages with the QR=1 bit set are responded to with a FormErr response.
This allows creating a traffic loop, in which these FormErr responses are sent nonstop between vulnerable servers.

There are two scenarios how this can be exploited: 1) Create a loop between two instances of trust-dns, consuming network resources, or 2) consuming the CPU of a single instance.

With two instances A and B an attacker sends a DNS query with a spoofed source IP address to A.
A replies with a FormErr to B.
Now both servers with ping-pong the message back and forth until by chance the packet is dropped in the network.
Multiple spoofed packets can be sent by the attacker, increasing resource consumption.

A single server can get locked up replying to itself.
Same setup as above, but now A sends the reply to itself.
The packet is sent out as fast as the CPU and network stack manage.
This locks up a CPU core.
Multiple packets from the attacker consume multiple CPU cores.

Impact

Affected versions

trust-dns-server (< 0.22.1) trust-dns-server (>= 0.23.0-alpha.2, < 0.23.0-alpha.3)

Security releases

trust-dns-server → 0.22.1 (rust) trust-dns-server → 0.23.0-alpha.3 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

trust-dns-server to 0.22.1 or later; trust-dns-server to 0.23.0-alpha.3 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-5FM9-H728-FWPJ? GHSA-5FM9-H728-FWPJ is a medium-severity security vulnerability in trust-dns-server (rust), affecting versions < 0.22.1. It is fixed in 0.22.1, 0.23.0-alpha.3.
  2. Which versions of trust-dns-server are affected by GHSA-5FM9-H728-FWPJ? trust-dns-server (rust) versions < 0.22.1 is affected.
  3. Is there a fix for GHSA-5FM9-H728-FWPJ? Yes. GHSA-5FM9-H728-FWPJ is fixed in 0.22.1, 0.23.0-alpha.3. Upgrade to this version or later.
  4. Is GHSA-5FM9-H728-FWPJ exploitable, and should I be worried? Whether GHSA-5FM9-H728-FWPJ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-5FM9-H728-FWPJ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-5FM9-H728-FWPJ?
    • Upgrade trust-dns-server to 0.22.1 or later
    • Upgrade trust-dns-server to 0.23.0-alpha.3 or later

Other vulnerabilities in trust-dns-server

Stop the waste.
Protect your environment with Kodem.