Summary
trust-dns vulnerable to Remote Attackers causing Denial-of-Service (packet loops) with crafted DNS packets
trust-dns and trust-dns-server are vulnerable to remotely triggered denial-of-service attacks, consuming both network and CPU resources.
DNS messages with the QR=1 bit set are responded to with a FormErr response.
This allows creating a traffic loop, in which these FormErr responses are sent nonstop between vulnerable servers.
There are two scenarios how this can be exploited: 1) Create a loop between two instances of trust-dns, consuming network resources, or 2) consuming the CPU of a single instance.
With two instances A and B an attacker sends a DNS query with a spoofed source IP address to A.
A replies with a FormErr to B.
Now both servers with ping-pong the message back and forth until by chance the packet is dropped in the network.
Multiple spoofed packets can be sent by the attacker, increasing resource consumption.
A single server can get locked up replying to itself.
Same setup as above, but now A sends the reply to itself.
The packet is sent out as fast as the CPU and network stack manage.
This locks up a CPU core.
Multiple packets from the attacker consume multiple CPU cores.
Impact
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
trust-dns-server to 0.22.1 or later; trust-dns-server to 0.23.0-alpha.3 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-5FM9-H728-FWPJ? GHSA-5FM9-H728-FWPJ is a medium-severity security vulnerability in trust-dns-server (rust), affecting versions < 0.22.1. It is fixed in 0.22.1, 0.23.0-alpha.3.
- Which versions of trust-dns-server are affected by GHSA-5FM9-H728-FWPJ? trust-dns-server (rust) versions < 0.22.1 is affected.
- Is there a fix for GHSA-5FM9-H728-FWPJ? Yes. GHSA-5FM9-H728-FWPJ is fixed in 0.22.1, 0.23.0-alpha.3. Upgrade to this version or later.
- Is GHSA-5FM9-H728-FWPJ exploitable, and should I be worried? Whether GHSA-5FM9-H728-FWPJ is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-5FM9-H728-FWPJ is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-5FM9-H728-FWPJ?
- Upgrade
trust-dns-serverto 0.22.1 or later - Upgrade
trust-dns-serverto 0.23.0-alpha.3 or later
- Upgrade