CVE-2025-59089 | Python-kdcproxy: remote dos via unbounded tcp upstream buffering

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service attack. While receiving the KDC's response, kdcproxy copies the entire buffered stream into a new buffer on each recv() call, even when the transfer is incomplete, causing excessive memory allocation and CPU usage. Additionally, kdcproxy accepts incoming response chunks as long as the received data length is not exactly equal to the length indicated in the response header, even when individual chunks or the total buffer exceed the maximum length of a Kerberos message. This allows an attacker to send unbounded data until the connection timeout is reached (approximately 12 seconds), exhausting server memory or CPU resources. Multiple concurrent requests can cause accept queue overflow, denying service to legitimate clients.

Published: 2025-11-12 Last update: 2026-04-20 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-59089 is rated Low Risk (29.2/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.05%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-59089

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-13 0.05%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-59089

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.9 3.1 MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.2 3.6 [email protected]

Weakness enumeration for CVE-2025-59089

OS Trackers for CVE-2025-59089

vendor priority summary link
debian not yet assigned CVE-2025-59089 not yet assigned priority: Debian including 1 source packages (python-kdcproxy), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 5. https://security-tracker.debian.org/tracker/CVE-2025-59089
redhat medium https://access.redhat.com/security/cve/CVE-2025-59089
ubuntu medium CVE-2025-59089 medium priority: Ubuntu including 1 source packages (python-kdcproxy), 8 status rows across 8 suites (bionic, focal, jammy, noble, plucky, questing, upstream, xenial): needs-triage 7, ignored 1. https://ubuntu.com/security/CVE-2025-59089

Affected software / configurations for CVE-2025-59089

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2025-59089

URL Tags
https://access.redhat.com/errata/RHSA-2025:21138
https://access.redhat.com/errata/RHSA-2025:21139
https://access.redhat.com/errata/RHSA-2025:21140
https://access.redhat.com/errata/RHSA-2025:21141
https://access.redhat.com/errata/RHSA-2025:21142
https://access.redhat.com/errata/RHSA-2025:21448
https://access.redhat.com/errata/RHSA-2025:21748
https://access.redhat.com/errata/RHSA-2025:21806
https://access.redhat.com/errata/RHSA-2025:21818
https://access.redhat.com/errata/RHSA-2025:21819
https://access.redhat.com/errata/RHSA-2025:21820
https://access.redhat.com/errata/RHSA-2025:21821
https://access.redhat.com/errata/RHSA-2025:22982
https://access.redhat.com/security/cve/CVE-2025-59089
https://bugzilla.redhat.com/show_bug.cgi?id=2393958
https://github.com/latchset/kdcproxy/commit/c7675365aa20be11f03247966336c7613cac84e1
https://github.com/latchset/kdcproxy/pull/68
cvelogic Threat Intelligence