DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks · GHSA-crjg-w57m-rqqf · GitHub Advisory Database

Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.

Users should upgrade to dnsjava v3.6.0

Although not recommended, only using a non-validating resolver, will remove the vulnerability.

ibauersachs published to dnsjava/dnsjava Jul 21, 2024

Published to the GitHub Advisory Database Jul 22, 2024

Reviewed Jul 22, 2024

Last updated Sep 11, 2024

Provide feedback