Description
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
References (5)
Core 5
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/miekg/dns/issues/1043
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/coredns/coredns/issues/3519
Patch, Third Party Advisory x_refsource_misc
https://github.com/miekg/dns/pull/1044
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/miekg/dns/compare/v1.1.24...v1.1.25
Third Party Advisory x_refsource_confirm
https://github.com/coredns/coredns/issues/3547
Scores
CVSS v3
5.9
EPSS
0.0207
EPSS Percentile
78.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-338
Status
published
Products (2)
miekg/dns
0 - 1.1.25Go
miekg-dns_project/miekg-dns
< 1.1.25
Published
Dec 13, 2019
Tracked Since
Feb 18, 2026