Insufficient Control of Network Message Volume (Network Amplification) in ntp-proto | CVE-2025-58066

Q: How to fix?

Upgrade ntp-proto to version 1.6.2 or higher.

Threat Intelligence

0.04% (11^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-NTPPROTO-12301717
published31 Aug 2025
disclosed29 Aug 2025
creditEric Sesterhenn

Report a new vulnerability Found a mistake?

Introduced: 29 Aug 2025

NewCVE-2025-58066 (opens in a new tab) CWE-406 (opens in a new tab)

How to fix?

Upgrade ntp-proto to version 1.6.2 or higher.

Overview

ntp-proto is a This crate contains packet parsing and algorithm code for ntpd-rs and is not intended as a public in

Affected versions of this package are vulnerable to Insufficient Control of Network Message Volume (Network Amplification) due to handling non-NTS traffic on servers. An attacker can cause a message storm between two affected servers by sending specially crafted network traffic.

Note: This is only exploitable if the server is configured to allow non-NTS traffic and is not running in client-only mode.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Insufficient Control of Network Message Volume (Network Amplification) Affecting ntp-proto package, versions >=1.2.0 <1.6.2

Severity