1.1

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46735

CVE-2025-46735: Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

Impact:

A security issue has been found in terraform-provider-windns before version 1.0.5. The windns_record resource did not santize the input variables. This can lead to authenticated command injection in the underlyding powershell command prompt.

Patches:

83ef736 (fix: better input validation)

Fixed versions:

v1.0.5

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-46735

CVE-2025-46735:

1.1

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/nrkno/terraform-provider-windns	go	<= 1.0.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was due to improper sanitization of input variables used in constructing PowerShell commands. The core flawed sanitization was in internal/dnshelper.SanitiseString (original name) and consequently in internal/dnshelper.SanitiseTFInput which used it. These functions failed to neutralize special characters effectively for a PowerShell context. Functions like internal/dnshelper.NewDNSRecordFromResource and internal/dnshelper.(*Record).Update consumed this insufficiently sanitized input to populate record data. Subsequently, methods internal/dnshelper.(*Record).addRecordData and internal/dnshelper.(*Record).removeRecordData constructed PowerShell command strings by interpolating this potentially malicious data, in some cases without appropriate quoting (e.g., TXT records in addRecordData, and recordData in removeRecordData), leading to a command injection vulnerability. The provider functions (resourceDNSRecordCreate, resourceDNSRecordUpdate, resourceDNSRecordDelete) in internal/provider/resource_win_dns_record.go served as the entry points, taking user-controlled data from Terraform configurations and passing it into this vulnerable processing chain.

The patch addresses this by:

Introducing a more robust SanitizeInputString function in internal/dnshelper/dnshelper.go which uses a regex for most record types and specific escaping (escapePowerShellInput) for TXT records.
Modifying SanitiseTFInput to use this new SanitizeInputString.
Updating NewDNSRecordFromResource and (*Record).Update in internal/dnshelper/dns.go to use the new sanitization logic and return errors if sanitization fails.
Adding explicit quoting for recordData in (*Record).addRecordData (for TXT records) and (*Record).removeRecordData in internal/dnshelper/dns.go.
Propagating error handling for sanitization failures up to the provider functions in .

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

1.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-46735: Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

Impact:

Patches:

Fixed versions:

CVE-2025-46735:

1.1

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Detect and Respond To Threats Faster.

CVE-2025-46735: Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

Impact:

Patches:

Fixed versions:

Technical Details

1.1

1.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

1.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-46735: Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

Impact:

Patches:

Fixed versions:

CVE-2025-46735:

1.1

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-46735: Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

Impact:

Patches:

Fixed versions:

Technical Details

1.1

1.1

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI