Introduction
A single misstep in DNS cache management can lead to persistent outages for critical services. In Kubernetes and other cloud-native environments, CoreDNS is the backbone of service discovery and DNS resolution. CVE-2025-58063 exposes a flaw in the CoreDNS etcd plugin that lets attackers pin DNS cache entries for abnormally long periods, effectively causing denial of service for legitimate queries.
About CoreDNS and etcd: CoreDNS is a widely used DNS server, especially as the default DNS provider in Kubernetes clusters. Its plugin-based architecture allows integration with etcd, a distributed key-value store used for service discovery and configuration. Both are foundational to modern container orchestration and cloud-native infrastructure, impacting thousands of organizations globally.
Technical Information
CVE-2025-58063 is rooted in the interaction between the CoreDNS etcd plugin and etcd's lease management system. The vulnerability specifically resides in the TTL()
function within plugin/etcd/etcd.go
. Here, the plugin retrieves lease information from etcd and mistakenly casts the 64-bit lease ID (int64) to a 32-bit unsigned integer (uint32), then uses this value as the DNS TTL (time to live) for responses.
This type confusion (CWE-681) means that if a lease ID is large, the resulting TTL can be extremely high—potentially causing DNS records to be cached for years. Attackers with access to etcd can deliberately create or use large lease IDs, resulting in DNS responses from CoreDNS with excessive TTL values. Downstream DNS resolvers and clients will honor these TTLs, pinning malicious or stale records in cache and blocking legitimate DNS resolution for the affected names.
The vulnerability is only present when the etcd plugin is enabled and used for DNS record management. The root cause is the improper use of lease IDs as TTLs, rather than retrieving the actual TTL value associated with the lease.
References for technical details:
- CWE-681: Incorrect Conversion between Numeric Types
- CoreDNS etcd plugin documentation
- CoreDNS 1.2.0 release notes (etcd v3 support)
Affected Systems and Versions
- CoreDNS versions 1.2.0 up to but not including 1.12.4
- Only deployments with the etcd plugin enabled are vulnerable
- The vulnerability is present in the plugin/etcd/etcd.go file
Vendor Security History
CoreDNS has a strong security track record, including a third-party security audit in 2018 that identified and led to fixes for several DoS and information disclosure issues. The project is a CNCF graduate and is widely adopted in Kubernetes. Previous vulnerabilities have been addressed with timely patches. The etcd plugin has evolved over time, with v3 support introduced in CoreDNS 1.2.0.