Nixpkgs security tracker

Accepted

Permalink CVE-2026-33489

updated an hour ago by @LeSuisse Activity log

Created suggestion 4 hours ago
@LeSuisse ignored reference https://g… an hour ago
@LeSuisse accepted an hour ago

CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.

References

https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3 x_refsource_CONFIRMexploit

Ignored references (1)

https://github.com/coredns/coredns/releases/tag/v1.14.3 x_refsource_MISC

Affected products

coredns

==< 1.14.3

Matching in nixpkgs

pkgs.coredns

DNS server that runs middleware

nixos-unstable 1.14.2
- nixpkgs-unstable 1.14.2
- nixos-unstable-small 1.14.2
nixos-25.11 1.13.2
- nixos-25.11-small 1.13.2
- nixpkgs-25.11-darwin 1.13.2

Package maintainers

@rushmorem Rushmore Mushambi <rushmore@webenchanter.com>
@djds djds <git@djds.dev>
@DeltaEvo Duarte David <deltaduartedavid@gmail.com>
@johanot Johan Thomsen <write@ownrisk.dk>
@rtreffer Rene Treffer <treffer+nixos@measite.de>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.coredns

Package maintainers