Nixpkgs security tracker

Permalink CVE-2026-33260

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored
7 packages
- rotp
- pdnsd
- dnsdist
- pdnsgrep
- pdns-recursor
- home-assistant-component-tests.namecheapdns
- tests.home-assistant-components.namecheapdns
3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse restored
2 packages
- dnsdist
- pdns-recursor
3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

References

Affected products

pdns

<5.0.4
<4.9.14

dnsdist

<2.0.4
<1.9.13

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

pkgs.dnsdist

DNS Loadbalancer

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 1.9.12
- nixos-25.11-small 1.9.12
- nixpkgs-25.11-darwin 1.9.12

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (5)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Permalink CVE-2026-33257

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored
5 packages
- rotp
- pdnsgrep
- pdnsd
- tests.home-assistant-components.namecheapdns
- home-assistant-component-tests.namecheapdns
3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Insufficient input validation of internal webserver

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

References

Ignored references (1)

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns

<5.0.4
<4.9.14

dnsdist

<2.0.4
<1.9.13

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

pkgs.dnsdist

DNS Loadbalancer

nixos-unstable 2.0.3
- nixpkgs-unstable 2.0.3
- nixos-unstable-small 2.0.3
nixos-25.11 1.9.12
- nixos-25.11-small 1.9.12
- nixpkgs-25.11-darwin 1.9.12

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (5)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par

pkgs.pdnsgrep

Search tool for PowerDNS logs

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

pkgs.home-assistant-component-tests.namecheapdns

Open source home automation that puts local control and privacy first

nixos-25.11 2025.11.3
- nixos-25.11-small 2025.11.3
- nixpkgs-25.11-darwin 2025.11.3

pkgs.tests.home-assistant-components.namecheapdns

Open source home automation that puts local control and privacy first

nixos-unstable 2026.4.3
- nixpkgs-unstable 2026.4.2
- nixos-unstable-small 2026.4.3

Package maintainers

@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
@Mic92 Jörg Thalheim <joerg@thalheim.io>
@NickCao Nick Cao <nickcao@nichi.co>
@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

https://blog.powerdns.com/2026/04/22/powerdns-security-advisory-2026-05-for-powerdns-authoritative-server

Permalink CVE-2026-33261

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Null pointer accces in aggressive NSEC(3) cache

A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2026-33258

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Crafted zones can cause increased resource usage

By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2026-33601

4.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Insufficient validation of zonemd record

If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2026-33600

4.4 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Null pointer dereference in RPZ transfer

An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2026-33259

5.0 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): Low (L)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): Low (L)
Modified Availability (MA): High (H)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Concurrent modification of RPZ data can lead to denial of servce

Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2026-33262

5.9 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): High (H)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Insufficient validation of cookie reply

An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2026-33256

5.3 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): None (N)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): None (N)
Modified Availability (MA): Low (L)

updated 3 weeks, 2 days ago by @LeSuisse Activity log

Created suggestion 3 weeks, 2 days ago
@LeSuisse ignored package rotp 3 weeks, 2 days ago
@LeSuisse accepted 3 weeks, 2 days ago
@LeSuisse published on GitHub 3 weeks, 2 days ago

Unbounded memory allocation by internal web server

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerd…

Affected products

pdns-recursor

<5.4.1
<5.2.9
<5.3.6

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.4.0
- nixpkgs-unstable 5.4.0
- nixos-unstable-small 5.4.0
nixos-25.11 5.2.8
- nixos-25.11-small 5.2.8
- nixpkgs-25.11-darwin 5.2.8

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Permalink CVE-2025-59023

8.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

updated 3 months ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored package rotp 3 months ago
@LeSuisse deleted maintainer @rnhmjoj 3 months ago maintainer.delete
@LeSuisse accepted 3 months ago
@LeSuisse published on GitHub 3 months ago

Crafted delegations or IP fragments can poison cached delegations in Recursor

Crafted delegations or IP fragments can poison cached delegations in Recursor.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-0…

Affected products

pdns-recursor

<5.1.8
<5.2.6
<5.3.1

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.3.4
- nixpkgs-unstable 5.3.4
- nixos-unstable-small 5.3.4
nixos-25.11 5.2.7
- nixos-25.11-small 5.2.7
- nixpkgs-25.11-darwin 5.2.7

Ignored packages (1)

pkgs.rotp

Open-source modernization of the 1993 classic "Master of Orion", written in Java

nixos-unstable 1.04
- nixpkgs-unstable 1.04
- nixos-unstable-small 1.04
nixos-25.11 1.04
- nixos-25.11-small 1.04
- nixpkgs-25.11-darwin 1.04

Package maintainers

Ignored maintainers (1)

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.dnsdist

pkgs.pdns-recursor

pkgs.rotp

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns

pkgs.dnsdist

pkgs.pdns-recursor

pkgs.rotp

pkgs.pdnsd

pkgs.pdnsgrep

pkgs.home-assistant-component-tests.namecheapdns

pkgs.tests.home-assistant-components.namecheapdns

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

pkgs.rotp

Package maintainers