CVE-2025-58063 Overview
CVE-2025-58063 is a TTL (Time-To-Live) confusion vulnerability in the CoreDNS etcd plugin. The flaw affects CoreDNS versions 1.2.0 through 1.12.3. The TTL() function in plugin/etcd/etcd.go incorrectly casts 64-bit etcd lease IDs to uint32 and uses them as DNS record TTL values. Large lease IDs produce extremely large TTLs, enabling DNS cache pinning attacks against affected services. Attackers with the ability to create etcd leases can poison DNS responses with multi-year cache lifetimes, creating a persistent denial-of-service condition for name resolution. The issue is tracked under [CWE-681: Incorrect Conversion between Numeric Types] and was fixed in CoreDNS version 1.12.4.
Critical Impact
Attackers can pin malicious or stale DNS records in resolver caches for years, causing sustained DNS resolution failures and service outages.
Affected Products
- CoreDNS versions 1.2.0 through 1.12.3 (etcd plugin enabled)
- Kubernetes clusters and service meshes relying on CoreDNS with etcd backend
- Downstream DNS resolvers caching responses from affected CoreDNS instances
Discovery Timeline
- 2025-09-09 - CVE-2025-58063 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-58063
Vulnerability Analysis
The CoreDNS etcd plugin retrieves service records from an etcd key-value store and returns them as DNS responses. Records associated with etcd leases inherit their TTL from the lease. The plugin's TTL() function reads the lease identifier rather than the lease's remaining time and casts that 64-bit integer to a 32-bit unsigned integer. The resulting value is then served as the DNS record TTL.
etcd assigns lease IDs as large pseudo-random 64-bit integers. When truncated to uint32, the value typically exceeds normal TTL ranges and can approach the maximum 32-bit unsigned value of 4,294,967,295 seconds, or roughly 136 years. Downstream resolvers honor this TTL and refuse to refresh the record. If the cached record points to an attacker-controlled endpoint, a stale address, or simply NXDOMAIN, service resolution remains broken until caches are manually purged.
Root Cause
The defect is a numeric type confusion. The plugin treated the lease's ID field as if it were a duration. The patch in commit e1768a5d272e9da649dfb8588595e5c6e4e640bf introduces explicit defaultLeaseMinTTL (30 seconds) and defaultLeaseMaxTTL (86,400 seconds) constants and adds a MinLeaseTTL field on the Etcd struct to bound returned TTL values.
Attack Vector
An authenticated user able to create etcd leases or write keys under the CoreDNS path prefix can publish records whose computed TTL spans years. Once CoreDNS serves the record, any caching resolver between CoreDNS and the client retains it, producing a persistent denial of service for the targeted name. The attack requires low privileges and no user interaction.
// Patch excerpt from plugin/etcd/etcd.go
const (
- priority = 10 // default priority when nothing is set
- ttl = 300 // default ttl when nothing is set
- etcdTimeout = 5 * time.Second
+ defaultPriority = 10 // default priority when nothing is set
+ defaultTTL = 300 // default ttl when nothing is set
+ defaultLeaseMinTTL = 30 // default minimum TTL for lease-based records
+ defaultLeaseMaxTTL = 86400 // default maximum TTL for lease-based records
+ etcdTimeout = 5 * time.Second
)
type Etcd struct {
+ MinLeaseTTL uint32 // minimum TTL for lease-based records
}
// Source: https://github.com/coredns/coredns/commit/e1768a5d272e9da649dfb8588595e5c6e4e640bf
Detection Methods for CVE-2025-58063
Indicators of Compromise
- DNS responses from CoreDNS with TTL values far exceeding configured defaults, often in the millions or billions of seconds.
- etcd keys under the CoreDNS PathPrefix associated with leases whose IDs map to abnormally large uint32 values.
- Persistent resolution failures or stale endpoints for services backed by the etcd plugin that do not recover after upstream changes.
Detection Strategies
- Query CoreDNS directly with dig against records served by the etcd plugin and compare returned TTLs against expected service TTLs.
- Audit the etcd datastore for lease-bound keys under the CoreDNS path prefix and correlate lease IDs with served TTLs.
- Review CoreDNS query logs for outbound responses with TTLs greater than the documented maximum used by the deployment.
Monitoring Recommendations
- Alert on DNS responses with TTLs above an operational threshold, for example 86,400 seconds, when sourced from internal CoreDNS instances.
- Track CoreDNS version inventory across clusters and flag instances running versions earlier than 1.12.4.
- Monitor etcd write operations from non-administrative identities that create leases under the CoreDNS prefix.
How to Mitigate CVE-2025-58063
Immediate Actions Required
- Upgrade CoreDNS to version 1.12.4 or later, which contains the fix from commit e1768a5d272e9da649dfb8588595e5c6e4e640bf.
- Restrict write access to the etcd path prefix used by CoreDNS to trusted control-plane identities only.
- Flush downstream DNS caches and restart resolvers after upgrading to clear any pinned long-TTL records.
Patch Information
The fix is available in CoreDNS 1.12.4. See the GitHub Security Advisory GHSA-93mf-426m-g6x9 and the upstream commit for full details. The patch introduces bounded defaultLeaseMinTTL and defaultLeaseMaxTTL constants and a configurable MinLeaseTTL field on the Etcd plugin struct.
Workarounds
- Disable the etcd plugin in the Corefile if it is not required, and use an alternative backend such as file or kubernetes.
- Place a downstream DNS proxy that clamps response TTLs to a safe operational maximum until CoreDNS can be upgraded.
- Tighten etcd role-based access control so that only the CoreDNS service account can create leases under the configured path prefix.
# Verify CoreDNS version and inspect served TTLs
kubectl -n kube-system exec deploy/coredns -- /coredns -version
dig @<coredns-service-ip> service.example.local +noall +answer
# Any TTL substantially above the configured maximum indicates exposure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

