DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources · GHSA-mmwx-rj87-vfgr · GitHub Advisory Database

Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.

Users should upgrade to dnsjava v3.6.0

Although not recommended, only using a non-validating resolver, will remove the vulnerability.

ibauersachs published to dnsjava/dnsjava Jul 21, 2024

Published to the GitHub Advisory Database Jul 22, 2024

Reviewed Jul 22, 2024

Last updated Sep 12, 2024

Provide feedback