CVE-2025-59088 Overview
CVE-2025-59088 is a server-side request forgery (SSRF) vulnerability in kdcproxy, the Kerberos KDC Proxy used to tunnel Kerberos traffic over HTTPS. When kdcproxy receives a request for a realm without explicit server addresses defined in its configuration, it falls back to querying DNS SRV records matching the requested realm name. An attacker who controls a DNS zone can publish SRV records pointing to arbitrary hostnames and ports, including loopback and internal addresses. The flaw is tracked as CWE-918: Server-Side Request Forgery.
Critical Impact
Unauthenticated network attackers can coerce kdcproxy to connect to internal hosts, enabling internal network reconnaissance, port scanning, and data exfiltration.
Affected Products
- kdcproxy (latchset/kdcproxy) deployments using the default use_dns=true setting
- Red Hat Enterprise Linux distributions shipping python-kdcproxy (see Red Hat CVE Report)
- Red Hat Identity Management (IdM/FreeIPA) components that bundle the proxy
Discovery Timeline
- 2025-11-12 - CVE-2025-59088 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-59088
Vulnerability Analysis
The kdcproxy service accepts KDC-PROXY-MESSAGE requests over HTTPS and forwards Kerberos traffic to a backend Key Distribution Center (KDC). The proxy reads the target realm from the client request and looks up the corresponding KDC server. When the administrator has not pinned a backend in the configuration file, the proxy resolves the realm dynamically through DNS SRV records such as _kerberos._tcp.<realm>.
The lookup logic does not restrict which realms can be queried, nor does it validate that the resolved targets are legitimate KDC hosts. An attacker controlling the DNS zone for attacker.example can publish SRV records like _kerberos._tcp.attacker.example pointing to 127.0.0.1:6379 or any internal host and port. The proxy then opens a TCP connection on behalf of the unauthenticated attacker.
The issue is classified as CWE-918. The EPSS score is 0.076% (22nd percentile), indicating low observed exploitation activity at the time of publication.
Root Cause
The proxy trusts attacker-controlled input — the realm name — to drive a server-side DNS lookup and outbound TCP connection. There is no allowlist of realms, no destination filtering against RFC 1918 or loopback ranges, and no authentication requirement on the proxy endpoint itself.
Attack Vector
An unauthenticated remote attacker registers a DNS zone and creates SRV records pointing to internal targets. The attacker then submits a crafted KDC-PROXY-MESSAGE to the public kdcproxy endpoint, specifying their controlled realm. The proxy resolves the SRV record and initiates a TCP connection to the attacker-specified internal host:port. Connection success, timeout, and error responses leak information about internal network topology, open ports, and firewall posture. Repeated requests across many host/port combinations allow systematic internal port scanning. The technical details of the fix are described in GitHub Pull Request for KDCProxy #68.
Vulnerability described in prose — no verified exploitation code is published.
See the upstream pull request for the corrective patch.
Detection Methods for CVE-2025-59088
Indicators of Compromise
- Outbound DNS SRV queries from kdcproxy hosts for realms not present in the organization's Kerberos configuration
- TCP connection attempts originating from the kdcproxy process to loopback addresses, RFC 1918 ranges, or non-KDC ports
- HTTP POST requests to the /KdcProxy endpoint referencing unfamiliar or external-looking realm names
- Spikes in failed Kerberos proxy responses correlated with unique source IPs probing the endpoint
Detection Strategies
- Inspect kdcproxy access logs for KDC-PROXY-MESSAGE requests containing realms outside the approved list
- Correlate DNS resolver logs with proxy host activity to identify SRV queries for attacker-controlled zones
- Apply egress network monitoring on hosts running kdcproxy to flag connections to internal services such as databases, metadata endpoints, or admin ports
Monitoring Recommendations
- Enable verbose logging in kdcproxy and forward logs to a centralized SIEM for retention and search
- Alert on any TCP connection from the proxy service account to destinations outside the documented KDC list
- Baseline normal realm names observed at the proxy and alert on first-seen realm values
How to Mitigate CVE-2025-59088
Immediate Actions Required
- Set use_dns = false in /etc/kdcproxy.conf if SRV-based discovery is not required
- Define explicit per-realm server URIs in the kdcproxy configuration to bypass the vulnerable DNS fallback
- Apply the vendor patch from the relevant Red Hat Security Advisory RHSA-2025:21138 or the matching advisory for your platform
- Restrict network egress from the kdcproxy host to known KDC IPs and ports only
Patch Information
Red Hat has released fixed packages across multiple product streams, including RHSA-2025:21139, RHSA-2025:21140, RHSA-2025:21448, RHSA-2025:21748, RHSA-2025:21818, and RHSA-2025:22982. The upstream code fix is available in GitHub Pull Request for KDCProxy #68. Administrators should update to the patched python-kdcproxy package matching their distribution.
Workarounds
- Disable DNS-based realm discovery by setting use_dns=false in the proxy configuration
- Place kdcproxy behind a reverse proxy or WAF that enforces an allowlist of permitted realm parameters
- Apply host-level firewall rules denying outbound traffic from the kdcproxy service account to internal subnets and loopback ports not used by KDCs
# /etc/kdcproxy.conf - disable DNS SRV fallback
[global]
use_dns = false
configs = mit
[realms]
EXAMPLE.COM = kerberos://kdc1.example.com:88 kerberos://kdc2.example.com:88
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
