The latchset kdcproxy component is vulnerable to a Server-Side Request Forgery (SSRF) issue identified as CVE-2025-59088. The vulnerability arises when kdcproxy processes requests for Kerberos realms that do not have explicitly configured server addresses. In such cases, kdcproxy automatically queries DNS SRV records within the DNS zone corresponding to the requested realm name. This default behavior allows an attacker to craft a request for a realm name under their control, where they have created malicious SRV records pointing to arbitrary hostnames and ports. These hostnames can resolve to internal IP addresses, loopback interfaces, or other sensitive network resources. As a result, the attacker can coerce kdcproxy into making network connections to internal systems that would otherwise be inaccessible externally. This can be exploited to perform internal network reconnaissance, including mapping network topology and firewall rules, conducting port scans, and potentially exfiltrating sensitive information by leveraging the proxy's network access. The vulnerability does not require any authentication or user interaction, increasing its exploitability. However, if the "use_dns" configuration option is explicitly set to false, kdcproxy will not perform these DNS SRV queries, mitigating the vulnerability. The CVSS v3.1 base score is 8.6, reflecting a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change affecting confidentiality. No public exploits have been reported as of the publication date.

This vulnerability poses a significant risk to organizations deploying latchset kdcproxy, especially in environments where internal network segmentation and firewall rules are critical for security. Exploitation can lead to unauthorized internal network reconnaissance, revealing sensitive infrastructure details that can facilitate subsequent attacks. Attackers may identify open ports, services, and network configurations that are otherwise hidden from external view. Additionally, the ability to exfiltrate data through the proxy could compromise confidentiality of sensitive information. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers, increasing the attack surface. Organizations relying on kdcproxy for Kerberos authentication proxying should consider this a high-risk issue, particularly in sectors with stringent security requirements such as government, finance, and critical infrastructure. The lack of known exploits in the wild currently limits immediate risk, but the potential for impactful attacks remains high.

To mitigate this vulnerability, organizations should first verify if the "use_dns" setting in kdcproxy is explicitly set to false, as this disables the vulnerable DNS SRV record querying behavior. If not already configured, administrators should disable this setting to prevent SSRF exploitation. Additionally, network-level controls should be implemented to restrict kdcproxy's ability to initiate arbitrary outbound connections, such as firewall rules limiting egress traffic to only trusted destinations. Monitoring DNS zones and SRV records for unauthorized changes can help detect potential attacker-controlled domains. Applying any available patches or updates from the latchset project as they become available is critical. In the absence of patches, consider isolating kdcproxy instances in segmented network zones with strict access controls. Regular security assessments and penetration testing focused on internal network exposure via proxy services can help identify and remediate similar risks. Finally, logging and alerting on unusual kdcproxy DNS queries or outbound connections can provide early detection of exploitation attempts.