CVE-2025-59089

Name of the Vulnerable Software and Affected Versions kdcproxy (affected versions not specified)

Description An attacker can cause a denial-of-service condition by forcing kdcproxy to connect to a KDC server under the attacker’s control, potentially through server-side request forgery. kdcproxy does not limit the length of TCP responses it accepts, leading to excessive memory allocation and CPU usage when receiving data from the KDC. The software copies the entire buffered stream into a new buffer with each recv() call, even during incomplete transfers. kdcproxy continues accepting incoming response chunks as long as the received data length differs from the length indicated in the response header, allowing an attacker to send unbounded data until a connection timeout is reached, potentially exhausting server resources. Multiple concurrent requests can lead to accept queue overflow, denying service to legitimate clients.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.