PT-2026-47554 — Io.Netty:Netty-Resolver-Dns

PT-2026-47554 · Maven · Io.Netty:Netty-Resolver-Dns

Published

2026-06-08

Updated

2026-06-08

CVSS v3.1

8.7

High

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

Summary

Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses.

Details

In io.netty.resolver.dns.DnsResolveContext#buildAliasMap, the resolver processes the ANSWER section of a DNS response and blindly caches all CNAME records it finds.

According to https://datatracker.ietf.org/doc/html/rfc5452#section-6

Care must be taken to only accept
  data if it is known that the originator is authoritative for the
  QNAME or a parent of the QNAME.
  One very simple way to achieve this is to only accept data if it is
  part of the domain for which the query was intended.

Impact

DNS Cache Poisoning (Bailiwick Bypass). Any application using Netty's DNS resolver is impacted.

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

GHSA-676X-F7GG-47VC

Affected Products