GHSA-5pvg-856g-cp85HighCVSS 8.7

Netty has Insufficient Bailiwick Validation for NS Records

Published
June 8, 2026
Last Modified
June 8, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Netty's DnsResolveContext insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like .co.uk).

Details

In io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName.

This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the handleWithAdditional method caches the associated A records from the ADDITIONAL section directly into the authoritativeDnsServerCache under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk..

The io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache method only prevents caching if the record is for the root zone (dots == 1).

Impact

DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.

🎯 Affected products2

  • maven/io.netty:netty-resolver-dns:>= 4.2.0.Final, <= 4.2.14.Final
  • maven/io.netty:netty-resolver-dns:<= 4.1.134.Final

🔗 References (4)