Nixpkgs Security Tracker

Permalink CVE-2025-59023

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): LOW

updated 1 month, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse removed package rotp 1 month, 3 weeks ago
@LeSuisse removed maintainer @rnhmjoj 1 month, 2 weeks ago
@LeSuisse accepted 1 month, 2 weeks ago
@LeSuisse published on GitHub 1 month, 2 weeks ago

Crafted delegations or IP fragments can poison cached delegations in Recursor

Crafted delegations or IP fragments can poison cached delegations in Recursor.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-0…

Affected products

pdns-recursor

<5.2.6
<5.1.8
<5.3.1

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.3.4
- nixpkgs-unstable 5.3.4
- nixos-unstable-small 5.3.4
nixos-25.11 5.2.7
- nixos-25.11-small 5.2.7
- nixpkgs-25.11-darwin 5.2.7

Package maintainers

Ignored maintainers (1)

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-06.html

Permalink CVE-2025-59024

6.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): LOW

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse removed package rotp 1 month, 3 weeks ago
@LeSuisse removed
2 maintainers
- @rnhmjoj
- @jtrees
1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

Crafted delegations or IP fragments can poison cached delegations in Recursor

Crafted delegations or IP fragments can poison cached delegations in Recursor.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-0…

Affected products

pdns-recursor

<5.2.6
<5.1.8
<5.3.1

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.3.4
- nixpkgs-unstable 5.3.4
- nixos-unstable-small 5.3.4
nixos-25.11 5.2.7
- nixos-25.11-small 5.2.7
- nixpkgs-25.11-darwin 5.2.7

Package maintainers

Ignored maintainers (1)

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Fixed in:
* https://github.com/NixOS/nixpkgs/commit/42bb4a06d4a01d3dbfca9a19a9daef7cb7560374 (25.11)
* https://github.com/NixOS/nixpkgs/commit/f4cf3fc15536fdc273350b98ad8f4289f32512d2 (unstable)

Permalink CVE-2026-0398

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

updated 1 month, 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 1 month, 3 weeks ago
@LeSuisse removed package rotp 1 month, 3 weeks ago
@LeSuisse accepted 1 month, 3 weeks ago
@LeSuisse published on GitHub 1 month, 3 weeks ago

Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor

Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-0…

Affected products

pdns-recursor

<5.3.5
<5.2.8
<5.1.10

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.3.4
- nixpkgs-unstable 5.3.4
- nixos-unstable-small 5.3.4
nixos-25.11 5.2.7
- nixos-25.11-small 5.2.7
- nixpkgs-25.11-darwin 5.2.7

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html

Permalink CVE-2025-59030

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 2 months, 2 weeks ago by @LeSuisse Activity log

Created automatic suggestion 2 months, 3 weeks ago
@LeSuisse accepted 2 months, 2 weeks ago
@LeSuisse published on GitHub 2 months, 2 weeks ago

Insufficient validation of incoming notifies over TCP can lead to a denial of service in Recursor

An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP.

References

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-0…

Affected products

pdns-recursor

<5.1.9
<5.3.3
<5.2.7

Matching in nixpkgs

pkgs.pdns-recursor

Recursive DNS server

nixos-unstable 5.2.6
- nixpkgs-unstable 5.2.6
- nixos-unstable-small 5.2.6

Package maintainers

@rnhmjoj Michele Guerini Rocco <rnhmjoj@inventati.org>

Upstream advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-08.html

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.pdns-recursor

Package maintainers