{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47950", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-14T10:32:43.531Z", "datePublished": "2025-06-06T17:32:30.218Z", "dateUpdated": "2025-06-06T21:27:05.841Z"}, "containers": {"cna": {"title": "CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw"}, {"name": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1", "tags": ["x_refsource_MISC"], "url": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1"}, {"name": "https://datatracker.ietf.org/doc/html/rfc9250", "tags": ["x_refsource_MISC"], "url": "https://datatracker.ietf.org/doc/html/rfc9250"}, {"name": "https://github.com/quic-go/quic-go", "tags": ["x_refsource_MISC"], "url": "https://github.com/quic-go/quic-go"}, {"name": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella", "tags": ["x_refsource_MISC"], "url": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella"}], "affected": [{"vendor": "coredns", "product": "coredns", "versions": [{"version": "< 1.12.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-06T21:27:05.841Z"}, "descriptions": [{"lang": "en", "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash \u2014 especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies."}], "source": {"advisory": "GHSA-cvx7-x8pj-x2gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-06T18:40:34.748230Z", "id": "CVE-2025-47950", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T18:42:01.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-06T18:40:34.748230Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-06T18:41:56.320Z"}}], "cna": {"title": "CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification", "source": {"advisory": "GHSA-cvx7-x8pj-x2gw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "coredns", "product": "coredns", "versions": [{"status": "affected", "version": "< 1.12.2"}]}], "references": [{"url": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw", "name": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1", "name": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1", "tags": ["x_refsource_MISC"]}, {"url": "https://datatracker.ietf.org/doc/html/rfc9250", "name": "https://datatracker.ietf.org/doc/html/rfc9250", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/quic-go/quic-go", "name": "https://github.com/quic-go/quic-go", "tags": ["x_refsource_MISC"]}, {"url": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella", "name": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash \u2014 especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-06T21:27:05.841Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47950", "state": "PUBLISHED", "dateUpdated": "2025-06-06T21:27:05.841Z", "dateReserved": "2025-05-14T10:32:43.531Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-06T17:32:30.218Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash \u2014 especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies."}, {"lang": "es", "value": "CoreDNS es un servidor DNS que encadena complementos. En versiones anteriores a la 1.12.2, exist\u00eda una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la implementaci\u00f3n del servidor DNS sobre QUIC (DoQ) de CoreDNS. Anteriormente, el servidor creaba una nueva goroutine para cada flujo QUIC entrante sin imponer ning\u00fan l\u00edmite en el n\u00famero de flujos o goroutines simult\u00e1neos. Un atacante remoto no autenticado podr\u00eda abrir un gran n\u00famero de flujos, lo que provocar\u00eda un consumo de memoria descontrolado y, eventualmente, un fallo por falta de memoria (OOM), especialmente en entornos contenedorizados o con memoria limitada. El parche de la versi\u00f3n 1.12.2 introduce dos mecanismos clave de mitigaci\u00f3n: `max_streams`, que limita el n\u00famero de flujos QUIC simult\u00e1neos por conexi\u00f3n con un valor predeterminado de `256`; y `worker_pool_size`, que introduce un grupo de trabajadores limitado a nivel de servidor para procesar los flujos entrantes con un valor predeterminado de `1024`. Esto elimina el modelo 1:1 de flujo a go-rutina y garantiza la resiliencia de CoreDNS en condiciones de alta concurrencia. Existen soluciones alternativas para quienes no puedan actualizar. Desactive la compatibilidad con QUIC eliminando o comentando el bloque `quic://` en el Corefile, utilice los l\u00edmites de recursos del contenedor en tiempo de ejecuci\u00f3n para detectar y aislar el uso excesivo de memoria, o monitoree los patrones de conexi\u00f3n de QUIC y alerte sobre anomal\u00edas."}], "id": "CVE-2025-47950", "lastModified": "2025-06-09T12:15:47.880", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-06T18:15:35.330", "references": [{"source": "security-advisories@github.com", "url": "https://datatracker.ietf.org/doc/html/rfc9250"}, {"source": "security-advisories@github.com", "url": "https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1"}, {"source": "security-advisories@github.com", "url": "https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw"}, {"source": "security-advisories@github.com", "url": "https://github.com/quic-go/quic-go"}, {"source": "security-advisories@github.com", "url": "https://www.usenix.org/conference/usenixsecurity23/presentation/botella"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "coredns: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification", "id": "2370860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370860"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash \u2014 especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.", "A memory exhaustion vulnerability was found in CoreDNS when operating with QUIC traffic streams. The CoreDNS server in affected versions would spawn a new goroutine for each incoming QUIC stream without limit. This flaw allows a malicious user to create an unbounded number of QUIC streams and consume all available resources, leading to an application level denial of service."], "mitigation": {"lang": "en:us", "value": "Users unable to upgrade should manually disable the QUIC protocol support."}, "name": "CVE-2025-47950", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/lighthouse-agent-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Affected", "package_name": "rhacm2/lighthouse-coredns-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-coredns", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-coredns-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-06-06T17:32:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-47950\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-47950\nhttps://datatracker.ietf.org/doc/html/rfc9250\nhttps://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1\nhttps://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw\nhttps://github.com/quic-go/quic-go\nhttps://www.usenix.org/conference/usenixsecurity23/presentation/botella"], "statement": "On a Red Hat system, a denial of service to the CoreDNS service will not take down the host system, so the availability impact is assessed as Low for Red Hat systems.", "threat_severity": "Moderate"}