VulnerableCode Package Details - pkg:maven/dnsjava/dnsjava@3.5.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-t19w-8s3x-z7gt Aliases: GHSA-crjg-w57m-rqqf	DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks ### Impact Users using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. ### Patches Users should upgrade to dnsjava v3.6.0 ### Workarounds Although not recommended, only using a non-validating resolver, will remove the vulnerability. ### References https://www.athene-center.de/en/keytrap	3.6.0 Affected by 0 other vulnerabilities.
VCID-vrhz-pre9-7kdk Aliases: GHSA-mmwx-rj87-vfgr	DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources ### Impact Users using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. ### Patches Users should upgrade to dnsjava v3.6.0 ### Workarounds Although not recommended, only using a non-validating resolver, will remove the vulnerability. ### References https://www.athene-center.de/en/keytrap	3.6.0 Affected by 0 other vulnerabilities.
VCID-wx5x-pkdb-sbgt Aliases: CVE-2024-25638 GHSA-cfxw-4h78-h7fw	DNSJava DNSSEC Bypass ### Summary Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. ### Details DNS Messages are not authenticated. They do not guarantee that - received RRs are authentic - not received RRs do not exist - all or any received records in a response relate to the request Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two. To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!) 1. denote by `QNAME` the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases 2. if the ANSWER section contains a valid PTR RRSet for `QNAME`, return it (and optionally return the list of aliases as well) 3. if the ANSWER section contains a valid CNAME RRSet for `QNAME`, add it to the list of aliases. Set `QNAME` to the CNAME's target and go to 2. 4. Verify that `QNAME` does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return `null`. Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic. dnsjava does not implement a comparable algorithm, and the provided APIs instead return either - the received DNS message itself (e.g. when using a ValidatingResolver such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#dnssec-resolver) example), or - essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#simple-lookup-with-a-resolver) example) If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can - In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or - completely exchange the relevant response records ### Impact DNS(SEC) libraries are usually used as part of a larger security framework. Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request. Here are three concrete examples of where this might be detrimental: - [RFC 6186](https://datatracker.ietf.org/doc/html/rfc6186) specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials. - When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic. - Some research projects like [LIGHTest](https://www.lightest.eu/) are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications. ### Mitigations At this point, the following mitigations are recommended: - When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...). - For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. `LookupSession.lookupAsync`. - Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.	3.6.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-t19w-8s3x-z7gt
Aliases:
GHSA-crjg-w57m-rqqf

DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks ### Impact Users using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. ### Patches Users should upgrade to dnsjava v3.6.0 ### Workarounds Although not recommended, only using a non-validating resolver, will remove the vulnerability. ### References https://www.athene-center.de/en/keytrap

3.6.0
Affected by 0 other vulnerabilities.

VCID-vrhz-pre9-7kdk
Aliases:
GHSA-mmwx-rj87-vfgr

DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources ### Impact Users using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones. ### Patches Users should upgrade to dnsjava v3.6.0 ### Workarounds Although not recommended, only using a non-validating resolver, will remove the vulnerability. ### References https://www.athene-center.de/en/keytrap

3.6.0
Affected by 0 other vulnerabilities.

VCID-wx5x-pkdb-sbgt
Aliases:
CVE-2024-25638
GHSA-cfxw-4h78-h7fw

DNSJava DNSSEC Bypass ### Summary Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. ### Details DNS Messages are not authenticated. They do not guarantee that - received RRs are authentic - not received RRs do not exist - all or any received records in a response relate to the request Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two. To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!) 1. denote by `QNAME` the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases 2. if the ANSWER section contains a valid PTR RRSet for `QNAME`, return it (and optionally return the list of aliases as well) 3. if the ANSWER section contains a valid CNAME RRSet for `QNAME`, add it to the list of aliases. Set `QNAME` to the CNAME's target and go to 2. 4. Verify that `QNAME` does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return `null`. Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic. dnsjava does not implement a comparable algorithm, and the provided APIs instead return either - the received DNS message itself (e.g. when using a ValidatingResolver such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#dnssec-resolver) example), or - essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#simple-lookup-with-a-resolver) example) If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can - In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or - completely exchange the relevant response records ### Impact DNS(SEC) libraries are usually used as part of a larger security framework. Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request. Here are three concrete examples of where this might be detrimental: - [RFC 6186](https://datatracker.ietf.org/doc/html/rfc6186) specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials. - When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic. - Some research projects like [LIGHTest](https://www.lightest.eu/) are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications. ### Mitigations At this point, the following mitigations are recommended: - When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...). - For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. `LookupSession.lookupAsync`. - Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.

3.6.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T00:22:42.429251+00:00	GitLab Importer	Affected by	VCID-wx5x-pkdb-sbgt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/CVE-2024-25638.yml	38.3.0
2026-04-12T00:22:40.685351+00:00	GitLab Importer	Affected by	VCID-vrhz-pre9-7kdk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/GHSA-mmwx-rj87-vfgr.yml	38.3.0
2026-04-12T00:22:39.049779+00:00	GitLab Importer	Affected by	VCID-t19w-8s3x-z7gt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/GHSA-crjg-w57m-rqqf.yml	38.3.0
2026-04-03T00:30:18.835958+00:00	GitLab Importer	Affected by	VCID-wx5x-pkdb-sbgt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/CVE-2024-25638.yml	38.1.0
2026-04-03T00:30:17.339507+00:00	GitLab Importer	Affected by	VCID-vrhz-pre9-7kdk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/GHSA-mmwx-rj87-vfgr.yml	38.1.0
2026-04-03T00:30:15.603473+00:00	GitLab Importer	Affected by	VCID-t19w-8s3x-z7gt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/GHSA-crjg-w57m-rqqf.yml	38.1.0
2026-04-02T12:39:47.154633+00:00	GitLab Importer	Affected by	VCID-vrhz-pre9-7kdk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/GHSA-mmwx-rj87-vfgr.yml	38.0.0
2026-04-02T12:39:46.988517+00:00	GitLab Importer	Affected by	VCID-t19w-8s3x-z7gt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/dnsjava/dnsjava/GHSA-crjg-w57m-rqqf.yml	38.0.0
2026-04-01T16:06:04.868080+00:00	GHSA Importer	Affected by	VCID-t19w-8s3x-z7gt	https://github.com/advisories/GHSA-crjg-w57m-rqqf	38.0.0
2026-04-01T16:06:04.702011+00:00	GHSA Importer	Affected by	VCID-vrhz-pre9-7kdk	https://github.com/advisories/GHSA-mmwx-rj87-vfgr	38.0.0