CVE-2020-25685
CVE-2020-25685 is a low-severity vulnerability in Thekelleys Dnsmasq with a CVSS 3.x base score of 3.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-326.
Key facts
- Severity: Low (CVSS 3.x base score 3.7)
- CVSS v2: 4.3
- EPSS exploit prediction: 2% (80th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-326
- Affected product: Thekelleys Dnsmasq
- Published:
- Last modified:
Description
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
Frequently asked questions
- What is CVE-2020-25685?
- A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.
- How severe is CVE-2020-25685?
- CVE-2020-25685 has a CVSS 3.x base score of 3.7, rated low severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2020-25685 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-25685?
- CVE-2020-25685 primarily affects Thekelleys Dnsmasq. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-25685?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2020-25685 published?
- CVE-2020-25685 was published on 2021-01-20 and last updated on 2026-06-17.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1889688
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGB7HL3OWHTLEPSMLDGOMXQKG3KM2QME/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WYW3IR6APUSKOYKL5FT3ACTIHWHGQY32/
- https://security.gentoo.org/glsa/202101-17
- https://www.arista.com/en/support/advisories-notices/security-advisories/12135-security-advisory-61
- https://www.debian.org/security/2021/dsa-4844
- https://www.jsof-tech.com/disclosures/dnspooq/
- https://www.kb.cert.org/vuls/id/434904
Affected products (5)
- cpe:2.3:a:thekelleys:dnsmasq:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:arista:eos:*:*:*:*:*:*:*:*
More vulnerabilities in Thekelleys Dnsmasq
- CVE-2021-45957 — Critical (CVSS 9.8): Dnsmasq 2.86 has a heap-based buffer overflow in answer_request (called from FuzzAnswerTheRequest and fuzz_rfc1035.c).…
- CVE-2021-45956 — Critical (CVSS 9.8): Dnsmasq 2.86 has a heap-based buffer overflow in print_mac (called from log_packet and dhcp_reply). NOTE: the vendor's…
- CVE-2021-45955 — Critical (CVSS 9.8): Dnsmasq 2.86 has a heap-based buffer overflow in resize_packet (called from FuzzResizePacket and fuzz_rfc1035.c)…
- CVE-2021-45954 — Critical (CVSS 9.8): Dnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from answer_auth and FuzzAuth). NOTE: the…
- CVE-2021-45953 — Critical (CVSS 9.8): Dnsmasq 2.86 has a heap-based buffer overflow in extract_name (called from hash_questions and fuzz_util.c). NOTE: the…
- CVE-2021-45952 — Critical (CVSS 9.8): Dnsmasq 2.86 has a heap-based buffer overflow in dhcp_reply (called from dhcp_packet and FuzzDhcp). NOTE: the vendor's…
All CVEs affecting Thekelleys Dnsmasq →
Other CWE-326 (Inadequate Encryption Strength) vulnerabilities
- CVE-2026-44523 — Critical (CVSS 10.0): Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the…
- CVE-2020-6966 — Critical (CVSS 10.0): In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information…
- CVE-2014-9199 — Critical (CVSS 10.0): The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the…
- CVE-2018-25272 — Critical (CVSS 9.8): ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and…
- CVE-2025-12478 — Critical (CVSS 9.8): Non-Compliant TLS Configuration.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
- CVE-2022-24116 — Critical (CVSS 9.8): Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II…
Browse all CWE-326 (Inadequate Encryption Strength) vulnerabilities →