CVE-2025-59781 Overview
CVE-2025-59781 affects F5 BIG-IP and BIG-IP Next Cloud-Native Network Functions (CNF) products when DNS cache is configured on a virtual server. Undisclosed DNS queries cause an increase in memory resource utilization, leading to a denial-of-service condition against the affected DNS service. The flaw is tracked under CWE-459: Incomplete Cleanup, indicating that resources allocated during query processing are not fully released. F5 published the vulnerability advisory on October 15, 2025, with details in F5 Support Article K000150637. Software versions that have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Unauthenticated remote attackers can send crafted DNS queries to inflate memory utilization on BIG-IP virtual servers configured with DNS cache, degrading or disrupting DNS resolution services.
Affected Products
- F5 BIG-IP modules including Local Traffic Manager (LTM), Global Traffic Manager (GTM), DNS, Access Policy Manager (APM), and Advanced Firewall Manager (AFM)
- F5 BIG-IP security and acceleration modules including ASM, Advanced WAF, SSL Orchestrator, WebAccelerator, and DDoS Hybrid Defender
- F5 BIG-IP Next Cloud-Native Network Functions (CNF)
Discovery Timeline
- 2025-10-15 - CVE-2025-59781 published to NVD and F5 advisory K000150637 released
- 2025-10-22 - Last updated in NVD database
Technical Details for CVE-2025-59781
Vulnerability Analysis
The vulnerability is a memory resource exhaustion issue in the DNS cache feature of F5 BIG-IP and BIG-IP Next CNF. When a virtual server is configured with DNS cache, processing specific DNS queries leaves allocated memory in an unreleased state. The underlying weakness, CWE-459 (Incomplete Cleanup), describes situations where the software does not properly release resources after they are no longer needed.
Repeated submission of the offending query patterns drives memory consumption higher over time. As cache memory pressure grows, the Traffic Management Microkernel (TMM) handling DNS workloads can degrade, drop traffic, or become unresponsive. The affected DNS pathway sits on the data plane of every listed BIG-IP module that shares the underlying TMM and DNS profile code, which is why the advisory enumerates the full module catalog.
Root Cause
The root cause is incomplete cleanup of memory associated with handling certain DNS queries through the DNS cache. F5 has not disclosed the specific query construction. The unreleased allocations accumulate in the DNS cache subsystem on the data plane, which is shared across BIG-IP modules and BIG-IP Next CNF deployments.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends DNS queries to a BIG-IP virtual server that has DNS cache enabled. Successful exploitation impacts availability of the DNS service. Integrity and confidentiality are not affected. Refer to F5 Support Article K000150637 for vendor technical detail and fixed version mapping.
Detection Methods for CVE-2025-59781
Indicators of Compromise
- Sustained or sawtooth growth in TMM memory utilization on BIG-IP virtual servers that have a DNS cache profile attached.
- DNS service degradation, increased query latency, dropped DNS responses, or TMM memory pressure alarms (tmm.memory_usage).
- Spikes in inbound DNS query volume from a narrow set of source addresses targeting the affected virtual server.
Detection Strategies
- Baseline DNS query rates and TMM memory usage per virtual server, then alert on deviations correlated with DNS cache profiles.
- Inspect DNS traffic captures for repetitive query patterns or anomalous record types directed at BIG-IP DNS listeners.
- Correlate mcpd, tmm, and DNS module log entries that report memory thresholds, cache evictions, or restart events.
Monitoring Recommendations
- Enable SNMP polling of BIG-IP memory and DNS cache statistics, with thresholds tuned to identify slow leaks.
- Forward BIG-IP /var/log/ltm and DNS profile telemetry to a centralized SIEM for trend analysis across appliances.
- Track DNS query source diversity and per-source query rate to detect single-source query floods targeting cache-enabled listeners.
How to Mitigate CVE-2025-59781
Immediate Actions Required
- Identify BIG-IP and BIG-IP Next CNF virtual servers that have a DNS cache profile attached and inventory exposed DNS listeners.
- Apply the F5-supplied engineering hotfix or upgrade to a fixed software version as listed in F5 K000150637.
- Restrict DNS access on affected virtual servers to trusted client networks using AFM rules or upstream ACLs.
Patch Information
F5 has published remediation guidance and fixed release information in F5 Support Article K000150637. Administrators must consult the article for the specific fixed versions corresponding to each BIG-IP module and BIG-IP Next CNF release branch. Versions that have reached End of Technical Support are not evaluated and should be upgraded to a supported branch.
Workarounds
- Disable the DNS cache feature on virtual servers where it is not strictly required until patched software is deployed.
- Apply rate limiting on DNS virtual servers using a DoS profile to cap query volume per source.
- Place the affected DNS listeners behind ACLs that restrict access to authorized resolvers and client subnets.
# Configuration example: identify virtual servers with a DNS cache profile attached
tmsh list ltm virtual one-line | grep -i dns
tmsh list ltm profile dns
# Example: remove a DNS cache reference from a DNS profile as a temporary workaround
tmsh modify ltm profile dns my_dns_profile cache none
tmsh save sys config
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
