CVE-2025-59089: Allocation of Resources Without Limits or Throttling in latchset kdcproxy
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
AI Analysis
Technical Summary
The vulnerability in latchset's kdcproxy (CVE-2025-59089) involves the allocation of resources without limits or throttling when processing TCP responses from KDC servers. Specifically, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even if the transfer is incomplete, causing excessive memory and CPU consumption. Additionally, it accepts incoming response chunks as long as the received data length does not exactly match the length indicated in the response header, allowing an attacker to send unbounded data until the connection times out (about 12 seconds). Multiple concurrent exploit attempts can overflow the accept queue, resulting in denial of service to legitimate clients. This vulnerability has a CVSS v3.1 base score of 5.9 (medium severity) with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts availability only. Red Hat has issued official patches for python-kdcproxy in Red Hat Enterprise Linux 9.6 and 9 to remediate this issue.
Potential Impact
Exploitation of this vulnerability allows an unauthenticated attacker to cause a denial-of-service condition by exhausting memory and CPU resources on the server running kdcproxy. This can also lead to accept queue overflow, preventing legitimate clients from connecting. There is no impact on confidentiality or integrity reported. The CVSS score of 5.9 reflects a medium severity availability impact with network attack vector and high attack complexity.
Mitigation Recommendations
Official patches are available from Red Hat for python-kdcproxy in Red Hat Enterprise Linux 9 and 9.6 Extended Update Support releases. Users should apply these updates promptly as detailed in Red Hat advisories RHSA-2025:21138 and RHSA-2025:21139. The vendor advisory explicitly states the availability of these fixes and provides instructions for updating. No additional mitigation steps are indicated beyond applying the official patches.
CVE-2025-59089: Allocation of Resources Without Limits or Throttling in latchset kdcproxy
Description
If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in latchset's kdcproxy (CVE-2025-59089) involves the allocation of resources without limits or throttling when processing TCP responses from KDC servers. Specifically, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even if the transfer is incomplete, causing excessive memory and CPU consumption. Additionally, it accepts incoming response chunks as long as the received data length does not exactly match the length indicated in the response header, allowing an attacker to send unbounded data until the connection times out (about 12 seconds). Multiple concurrent exploit attempts can overflow the accept queue, resulting in denial of service to legitimate clients. This vulnerability has a CVSS v3.1 base score of 5.9 (medium severity) with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts availability only. Red Hat has issued official patches for python-kdcproxy in Red Hat Enterprise Linux 9.6 and 9 to remediate this issue.
Potential Impact
Exploitation of this vulnerability allows an unauthenticated attacker to cause a denial-of-service condition by exhausting memory and CPU resources on the server running kdcproxy. This can also lead to accept queue overflow, preventing legitimate clients from connecting. There is no impact on confidentiality or integrity reported. The CVSS score of 5.9 reflects a medium severity availability impact with network attack vector and high attack complexity.
Mitigation Recommendations
Official patches are available from Red Hat for python-kdcproxy in Red Hat Enterprise Linux 9 and 9.6 Extended Update Support releases. Users should apply these updates promptly as detailed in Red Hat advisories RHSA-2025:21138 and RHSA-2025:21139. The vendor advisory explicitly states the availability of these fixes and provides instructions for updating. No additional mitigation steps are indicated beyond applying the official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2025-09-08T21:43:30.846Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2025:21138","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21139","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21140","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21141","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21142","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21448","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21748","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21806","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21818","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21819","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21820","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:21821","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:22982","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2025-59089","vendor":"Red Hat"}]
Threat ID: 6914bbf8be619665a2474cfb
Added to database: 11/12/2025, 4:55:20 PM
Last enriched: 4/21/2026, 5:50:01 AM
Last updated: 5/10/2026, 1:53:56 AM
Views: 166
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.