Hickory DNS versions 0.1 through 0.25.2 suffer from a CWE-706 vulnerability where cached DNS data is not directly linked to the query that caused the response, enabling cross-zone poisoning. This means that an attacker could potentially cause the DNS resolver to return incorrect DNS records by exploiting the improper association of cached data, affecting the integrity of DNS responses. The CVSS 3.1 base score is 4.0, reflecting a network attack vector with high attack complexity and no privileges or user interaction required. The vulnerability does not impact confidentiality or availability but can cause limited integrity issues. No vendor advisory or patch is currently available, and the product is not a cloud service, so remediation is not managed by the vendor.

The vulnerability allows an attacker to perform cross-zone poisoning by exploiting the incorrect association of cached DNS data, potentially causing the DNS resolver to return incorrect DNS records. This impacts the integrity of DNS responses but does not affect confidentiality or availability. There are no known exploits in the wild, and the overall impact is rated medium severity with a CVSS score of 4.0.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or remediation level is provided, users should monitor Hickory Project communications for updates. In the absence of a fix, consider limiting exposure of vulnerable Hickory DNS instances to untrusted networks to reduce risk.