Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49004

CVE-2025-49004: Caido DNS Rebinding RCE Vulnerability

CVE-2025-49004 is a DNS rebinding remote code execution vulnerability in Caido web security auditing toolkit that allows attackers to hijack authentication and execute commands. This article covers technical details, affected versions, impact, and mitigation steps.

Updated:

CVE-2025-49004 Overview

Caido is a web security auditing toolkit used by security professionals for application testing. CVE-2025-49004 affects all versions of Caido prior to 0.48.0 due to missing protection against DNS rebinding attacks. An attacker-controlled website can load the locally running Caido instance in the victim's browser and hijack the authentication flow. This results in remote command execution on the victim's machine. The flaw is tracked under CWE-290: Authentication Bypass by Spoofing.

Critical Impact

A malicious website visited by a Caido user can hijack the local instance via DNS rebinding and execute arbitrary commands on the host.

Affected Products

  • Caido web security auditing toolkit versions prior to 0.48.0
  • Local Caido instances during initial setup (unconfigured)
  • Configured Caido instances when the user authorizes a request on dashboard.caido.io

Discovery Timeline

  • 2025-06-09 - CVE-2025-49004 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-49004

Vulnerability Analysis

Caido runs as a local service on the user's machine and exposes a web interface for security testing workflows. The application fails to validate the Host header or otherwise restrict which domains can interact with the local listener. Without DNS rebinding protections, a remote attacker who controls a domain can cause the victim's browser to send requests against the local Caido instance while still respecting the same-origin policy of the attacker's domain.

This weakness corresponds to CWE-290, where the trust placed in the origin of incoming requests is misplaced. Because Caido provides command execution capabilities as part of its intended functionality, hijacking the authentication flow yields full remote command execution.

Root Cause

The root cause is the absence of Host header validation and DNS rebinding mitigations on the local Caido HTTP listener. The service assumes that any browser request reaching the loopback interface originates from a trusted local context. An attacker exploits this assumption by binding their domain to the loopback address after the browser has cached the initial DNS lookup.

Attack Vector

The attacker hosts a malicious page on a domain they control. The victim visits this page while running Caido locally. For unconfigured Caido instances, the attacker drives the initial setup flow and gains command execution directly. For already-configured instances, the attacker performs DNS rebinding and initiates the authentication flow, requiring the victim to authorize the request on dashboard.caido.io. Refer to the Caido GitHub Security Advisory GHSA-jmxf-xw2r-vjrg for technical details.

Detection Methods for CVE-2025-49004

Indicators of Compromise

  • Unexpected outbound DNS resolutions from the browser process to attacker-controlled domains that resolve to 127.0.0.1 or local loopback ranges.
  • HTTP requests to the local Caido port carrying a Host header that does not match localhost or 127.0.0.1.
  • Unexplained authorization prompts from dashboard.caido.io triggered while browsing third-party sites.

Detection Strategies

  • Monitor browser telemetry and proxy logs for short-TTL DNS records that flip resolution to loopback addresses.
  • Inspect Caido application logs for setup or authentication flows initiated from unexpected referrers.
  • Hunt for child processes spawned by the Caido binary that do not align with normal user testing workflows.

Monitoring Recommendations

  • Alert on process creation events where Caido is the parent of shells, scripting interpreters, or LOLBins.
  • Track DNS responses with TTL values under 60 seconds resolving public domains to private IP space.
  • Review endpoint logs for outbound connections from the Caido process initiated outside of active user sessions.

How to Mitigate CVE-2025-49004

Immediate Actions Required

  • Upgrade Caido to version 0.48.0 or later on every workstation where the toolkit is installed.
  • Terminate any running Caido instances on unpatched versions until the upgrade is applied.
  • Audit recent browser history and Caido logs for signs of unauthorized setup or authentication flows.

Patch Information

The vendor released version 0.48.0 of Caido, which adds DNS rebinding protection by validating the Host header on the local listener. Users should download the patched build directly from Caido and verify the version after installation. Full details are documented in the Caido GitHub Security Advisory GHSA-jmxf-xw2r-vjrg.

Workarounds

  • Do not run Caido while browsing untrusted websites if upgrading immediately is not possible.
  • Bind Caido strictly to 127.0.0.1 and block external DNS resolution to loopback at the host firewall.
  • Decline any unexpected authorization prompts originating from dashboard.caido.io during normal browsing.
bash
# Verify the installed Caido version is patched
caido --version
# Expected output: 0.48.0 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne