CVE-2025-46735: Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

May 6, 2025

Impact:

A security issue has been found in terraform-provider-windns before version 1.0.5. The windns_record resource did not santize the input variables. This can lead to authenticated command injection in the underlyding powershell command prompt.

Patches:

References

github.com/advisories/GHSA-4vgf-2cm4-mp7c
github.com/nrkno/terraform-provider-windns
github.com/nrkno/terraform-provider-windns/commit/c76f69610c1b502f90aaed8c4f102194530b5bce
github.com/nrkno/terraform-provider-windns/security/advisories/GHSA-4vgf-2cm4-mp7c
nvd.nist.gov/vuln/detail/CVE-2025-46735

Code Behaviors & Features

Detect and mitigate CVE-2025-46735 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →