CVE-2025-11411: CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data in NLnet Labs Unbound
NLnet Labs Unbound versions up to and including 1.24.1 are vulnerable to domain hijack attacks via acceptance of unsolicited NS RRSets in DNS replies. Attackers can inject malicious NS RRSets to poison the resolver's delegation information. Version 1.24.1 introduced a fix that removes unsolicited NS RRSets from replies, and 1.24.2 further improves this by scrubbing such data from additional reply types.
AI Analysis
Technical Summary
CVE-2025-11411 describes a vulnerability in NLnet Labs Unbound DNS resolver up to version 1.24.1 where unsolicited NS RRSets in the authority section of DNS replies can be accepted and used to update delegation information. This acceptance of extraneous untrusted data alongside trusted data (CWE-349) can lead to domain hijacking by poisoning the resolver's knowledge of zone name servers. The vulnerability can be exploited through spoofed packets or fragmentation attacks. Unbound 1.24.1 mitigates this by scrubbing unsolicited NS RRSets and their address records from replies, and 1.24.2 extends this mitigation to YXDOMAIN and non-referral nodata replies.
Potential Impact
An attacker could manipulate DNS responses to inject malicious NS RRSets, causing the resolver to update its delegation information incorrectly. This can lead to domain hijacking, redirecting DNS queries to attacker-controlled name servers. The CVSS 4.0 score is 5.7 (medium severity), reflecting the network attack vector, low complexity, no privileges required, no user interaction, but high impact on integrity and availability.
Mitigation Recommendations
Unbound versions 1.24.1 and later include fixes that scrub unsolicited NS RRSets and their address records from DNS replies, mitigating this vulnerability. Users should upgrade to version 1.24.2 or later to benefit from the additional fix covering YXDOMAIN and non-referral nodata replies. Patch status is confirmed by the vendor advisory embedded in the description. No further action is required beyond upgrading to these fixed versions.
CVE-2025-11411: CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data in NLnet Labs Unbound
Description
NLnet Labs Unbound versions up to and including 1.24.1 are vulnerable to domain hijack attacks via acceptance of unsolicited NS RRSets in DNS replies. Attackers can inject malicious NS RRSets to poison the resolver's delegation information. Version 1.24.1 introduced a fix that removes unsolicited NS RRSets from replies, and 1.24.2 further improves this by scrubbing such data from additional reply types.
CVSS v4.0
Score 5.7medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11411 describes a vulnerability in NLnet Labs Unbound DNS resolver up to version 1.24.1 where unsolicited NS RRSets in the authority section of DNS replies can be accepted and used to update delegation information. This acceptance of extraneous untrusted data alongside trusted data (CWE-349) can lead to domain hijacking by poisoning the resolver's knowledge of zone name servers. The vulnerability can be exploited through spoofed packets or fragmentation attacks. Unbound 1.24.1 mitigates this by scrubbing unsolicited NS RRSets and their address records from replies, and 1.24.2 extends this mitigation to YXDOMAIN and non-referral nodata replies.
Potential Impact
An attacker could manipulate DNS responses to inject malicious NS RRSets, causing the resolver to update its delegation information incorrectly. This can lead to domain hijacking, redirecting DNS queries to attacker-controlled name servers. The CVSS 4.0 score is 5.7 (medium severity), reflecting the network attack vector, low complexity, no privileges required, no user interaction, but high impact on integrity and availability.
Mitigation Recommendations
Unbound versions 1.24.1 and later include fixes that scrub unsolicited NS RRSets and their address records from DNS replies, mitigating this vulnerability. Users should upgrade to version 1.24.2 or later to benefit from the additional fix covering YXDOMAIN and non-referral nodata replies. Patch status is confirmed by the vendor advisory embedded in the description. No further action is required beyond upgrading to these fixed versions.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2025-10-07T09:07:44.926Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68f8d2c779108345beab68dd
Added to database: 10/22/2025, 12:49:11 UTC
Last enriched: 06/09/2026, 10:43:40 UTC
Last updated: 07/03/2026, 20:51:21 UTC
Views: 1103
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.