CVE-2025-59089 is a resource exhaustion vulnerability in latchset's kdcproxy, a proxy component used in Kerberos authentication flows. The vulnerability occurs because kdcproxy does not impose bounds or throttling on the size of TCP responses received from KDC servers. When kdcproxy connects to a malicious or attacker-controlled KDC server—potentially via server-side request forgery—the attacker can send arbitrarily large or malformed responses. The proxy copies the entire buffered stream into a new buffer on each recv() call, even if the transfer is incomplete, causing excessive memory allocation and CPU usage. Furthermore, kdcproxy continues to accept incoming response chunks as long as the total received data length does not exactly match the length specified in the response header, even if the chunks or total buffer exceed the maximum allowed Kerberos message size. This allows an attacker to send unbounded data until the connection times out (approximately 12 seconds), exhausting server memory and CPU resources. When multiple such requests occur concurrently, the accept queue can overflow, resulting in denial of service to legitimate clients. The vulnerability affects version 0 of kdcproxy and has a CVSS 3.1 base score of 5.9, reflecting a medium severity due to network attack vector, high attack complexity, no privileges required, no user interaction, and impact limited to availability. No patches or known exploits are currently reported. The flaw is particularly concerning for environments heavily reliant on Kerberos authentication and kdcproxy as a component in their identity infrastructure.

For European organizations, the primary impact of CVE-2025-59089 is denial of service against authentication infrastructure relying on latchset kdcproxy. Disruption of Kerberos authentication can lead to widespread service outages, preventing users from accessing critical systems and applications. This can affect enterprise networks, government agencies, and service providers that depend on Kerberos for secure authentication. The resource exhaustion can degrade server performance or cause crashes, impacting availability and operational continuity. Although confidentiality and integrity are not directly affected, the loss of availability can have cascading effects on business processes and security monitoring. Organizations with large-scale or high-volume Kerberos deployments are at higher risk of significant impact. The absence of known exploits reduces immediate risk, but the medium severity score and ease of triggering the vulnerability via network access warrant proactive mitigation. The attack does not require authentication or user interaction, increasing the threat surface. European entities with critical infrastructure or sensitive data protected by Kerberos authentication should prioritize addressing this vulnerability to avoid potential service disruptions.

To mitigate CVE-2025-59089, organizations should first restrict kdcproxy connections to trusted and verified KDC servers, preventing attacker-controlled servers from being contacted. Implement network-level controls such as firewall rules and access control lists to limit outbound connections from kdcproxy to known legitimate KDC IP addresses. Monitor and log kdcproxy resource usage to detect abnormal memory or CPU consumption indicative of exploitation attempts. Apply rate limiting or connection throttling on kdcproxy to reduce the impact of concurrent malicious requests. If possible, update or patch kdcproxy to versions that enforce strict bounds on TCP response sizes and validate message lengths against Kerberos protocol specifications. In the absence of official patches, consider deploying application-layer proxies or intrusion prevention systems that inspect and block oversized or malformed Kerberos messages. Conduct regular security assessments and penetration tests focusing on Kerberos infrastructure to identify and remediate weaknesses. Finally, maintain incident response plans that include recovery procedures for authentication service outages.