Nixpkgs security tracker

Untriaged

Permalink CVE-2026-33608

7.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Incomplete domain name sanitization during

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

References

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-p…

Affected products

pdns

<4.9.14
<5.0.4

Matching in nixpkgs

pkgs.pdns

Authoritative DNS server

nixos-unstable 5.0.3
- nixpkgs-unstable 5.0.3
- nixos-unstable-small 5.0.3
nixos-25.11 4.9.8
- nixos-25.11-small 4.9.8
- nixpkgs-25.11-darwin 4.9.8

pkgs.pdnsd

Permanent DNS caching

nixos-unstable 1.2.9a-par
- nixpkgs-unstable 1.2.9a-par
- nixos-unstable-small 1.2.9a-par
nixos-25.11 1.2.9a-par
- nixos-25.11-small 1.2.9a-par
- nixpkgs-25.11-darwin 1.2.9a-par