CVE-2025-47950

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-47950
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://datatracker.ietf.org/doc/html/rfc9250
https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1
https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw
https://github.com/quic-go/quic-go
https://www.usenix.org/conference/usenixsecurity23/presentation/botella
Configurations

No configuration.

History

09 Jun 2025, 12:15

Type Values Removed Values Added
Summary
  • (es) CoreDNS es un servidor DNS que encadena complementos. En versiones anteriores a la 1.12.2, existía una vulnerabilidad de denegación de servicio (DoS) en la implementación del servidor DNS sobre QUIC (DoQ) de CoreDNS. Anteriormente, el servidor creaba una nueva goroutine para cada flujo QUIC entrante sin imponer ningún límite en el número de flujos o goroutines simultáneos. Un atacante remoto no autenticado podría abrir un gran número de flujos, lo que provocaría un consumo de memoria descontrolado y, eventualmente, un fallo por falta de memoria (OOM), especialmente en entornos contenedorizados o con memoria limitada. El parche de la versión 1.12.2 introduce dos mecanismos clave de mitigación: `max_streams`, que limita el número de flujos QUIC simultáneos por conexión con un valor predeterminado de `256`; y `worker_pool_size`, que introduce un grupo de trabajadores limitado a nivel de servidor para procesar los flujos entrantes con un valor predeterminado de `1024`. Esto elimina el modelo 1:1 de flujo a go-rutina y garantiza la resiliencia de CoreDNS en condiciones de alta concurrencia. Existen soluciones alternativas para quienes no puedan actualizar. Desactive la compatibilidad con QUIC eliminando o comentando el bloque `quic://` en el Corefile, utilice los límites de recursos del contenedor en tiempo de ejecución para detectar y aislar el uso excesivo de memoria, o monitoree los patrones de conexión de QUIC y alerte sobre anomalías.

06 Jun 2025, 22:15

Type Values Removed Values Added
Summary (en) CoreDNS is a DNS server that chains plugins. In versions prior to 1.21.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.21.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies. (en) CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.

06 Jun 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-06 18:15

Updated : 2025-06-09 12:15

NVD link : CVE-2025-47950

Mitre link : CVE-2025-47950

CVE.ORG link : CVE-2025-47950

JSON object : View

Products Affected

No product.

CWE
CWE-770

Allocation of Resources Without Limits or Throttling