September 11, 2025
The CoreDNS project has disclosed a vulnerability in its etcd plugin, tracked as CVE-2025-58063 (CVSS 7.1), which could allow attackers to pin DNS cache entries for abnormally long periods, effectively denying service updates and causing widespread resolution issues.
CoreDNS describes the flaw as a TTL confusion vulnerability: “The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods.”
In affected versions, the TTL() function mistakenly casts etcd lease IDs — which are identifiers, not time durations — into TTL values. As the advisory notes: “Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years.”
An attacker would need etcd write access, which could result from compromised service accounts, misconfigured RBAC/TLS, exposed etcd instances, or insider threats. With this access, the attacker can:
- Write or update a key with an arbitrary lease.
- CoreDNS then serves a DNS record with an artificially large TTL.
- Downstream resolvers cache the poisoned record for years.
- Even after the key is deleted or CoreDNS is restarted, clients continue to trust the stale response until caches expire.
The advisory warns: “Even after fixing/deleting the key (or restarting CoreDNS), clients continue to use the cached answer until their caches expire or enforce their own TTL caps.”
Although some resolvers implement TTL caps, defaults vary widely, making the impact unpredictable.
The vulnerability primarily affects availability, as service discovery changes such as IP rotations, failovers, and rollbacks could be ignored by caches for extended periods. CoreDNS notes: “Availability: High as service changes may be ignored for extended periods by caches.”
The integrity of DNS answers is also impacted, since stale or maliciously set records persist long after they should have expired. Confidentiality, however, is unaffected.
The bug was introduced in CoreDNS v1.2.0 through GitHub pull request #1702. Any deployment using the etcd plugin for service discovery is considered vulnerable.
The advisory recommends fixing the TTL function by properly using etcd’s Lease API to calculate TTL values. In addition, CoreDNS suggests implementing safeguards: “Add configurable limits for minimum and maximum TTL when passing lease records, to clamp potentially extreme TTL values set as lease grant.”
Administrators of affected environments should update CoreDNS to patched releases as soon as possible and review access policies to ensure only trusted systems can write to etcd.
