Critical Vulnerability Information CVE ID: CVE-2025-59088 Release Date: November 12, 2025 Severity: Important CVSS v3 Score: 8.6 Description If kdcproxy receives a request for a domain that does not have a server address defined in its configuration, it will default to querying SRV records in the DNS zone matching the requested domain. This creates a Server-Side Request Forgery (SSRF) vulnerability. Attackers can send requests to DNS zones where they have created SRV records, pointing to arbitrary ports and hostnames (which may resolve to loopback or internal IP addresses). This vulnerability can be exploited to probe internal network topology and firewall rules, perform port scanning, and exfiltrate data. Deployments where "use_dns" is set to false are unaffected. Mitigation Before applying the final fix, set the "use_dns" parameter in the global section of the kdcproxy.conf file to false. This disables DNS lookups for Active Directory servers, but may impact services that require DNS. Affected Packages and Red Hat Security Advisories Red Hat Enterprise Linux 10: python-kdcproxy Red Hat Enterprise Linux 10.0 Extended Update Support: python-kdcproxy Red Hat Enterprise Linux 8: idm:client, idm:DL1 Red Hat Enterprise Linux 9: python-kdcproxy Red Hat Enterprise Linux 9.6 Extended Update Support: python-kdcproxy Red Hat Enterprise Linux 7: python-kdcproxy (affected) CVSS v3 Score Details Attack Vector: Network Attack Complexity: Low Required Privileges: None User Interaction: None Scope: Changed Confidentiality Impact: High Integrity Impact: None Availability Impact: None Weakness (CWE) CWE-918: Server-Side Request Forgery (SSRF) Acknowledgments Thanks to Arad Inbar for reporting this issue.