CVE-2025-30187 is a vulnerability identified in PowerDNS DNSdist versions 1.9.0 and 2.0.0, specifically when configured to use the nghttp2 library to handle DNS over HTTPS (DoH) queries. The vulnerability is classified under CWE-835, which corresponds to a loop with an unreachable exit condition, commonly known as an infinite loop. In this case, an attacker can craft a malicious DoH exchange that triggers an unbounded input/output (I/O) read loop within DNSdist. This loop causes the application to consume excessive CPU resources unexpectedly, leading to a denial of service (DoS) condition. The vulnerability does not affect confidentiality or integrity but impacts availability by degrading or halting DNSdist’s ability to process legitimate DNS queries. The CVSS 3.1 base score is 3.7, indicating a low severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), but has high attack complexity (AC:H), meaning the attacker must carefully craft the DoH exchange to trigger the infinite loop. No known exploits are reported in the wild, and no patches are currently linked, suggesting the vulnerability is newly disclosed or under analysis. DNSdist is a DNS load balancer and proxy widely used in DNS infrastructure to improve performance and security by managing DNS traffic, including DoH, which is increasingly adopted for privacy-preserving DNS queries over HTTPS. The vulnerability arises from the interaction between DNSdist and the nghttp2 library, which handles HTTP/2 framing for DoH. Improper handling of certain DoH exchanges leads to the infinite loop, causing resource exhaustion on affected servers.

For European organizations, the impact of this vulnerability primarily concerns the availability of DNS infrastructure relying on DNSdist with DoH enabled. DNS is a critical service for all internet-connected organizations, and disruption can lead to loss of access to internal and external resources, degraded user experience, and potential cascading failures in dependent systems. Organizations deploying DNSdist as part of their DNS resolution or load balancing infrastructure, especially those adopting DoH for privacy compliance or security enhancement, are at risk of targeted DoS attacks that can exhaust CPU resources and disrupt DNS services. This can affect ISPs, cloud providers, enterprises, and public sector entities that rely on DNSdist. Given the low CVSS score and high attack complexity, the threat is moderate but should not be ignored, especially in high-availability environments. Attackers could exploit this vulnerability remotely without authentication, making it accessible to a broad range of threat actors. The absence of known exploits suggests limited current exploitation, but the potential for disruption in critical DNS infrastructure warrants proactive mitigation. The impact is more pronounced in environments with high DoH traffic or where DNSdist is a single point of failure.

To mitigate this vulnerability, European organizations should: 1) Immediately review their DNSdist deployments to identify if versions 1.9.0 or 2.0.0 are in use with DoH enabled via the nghttp2 library. 2) If possible, disable DoH processing temporarily until a patch or update is available to prevent exposure to crafted DoH queries that trigger the infinite loop. 3) Monitor DNSdist CPU usage and logs for unusual spikes or patterns indicative of malformed DoH traffic or potential exploitation attempts. 4) Implement network-level protections such as rate limiting or filtering of DoH traffic from untrusted sources to reduce the risk of attack. 5) Engage with PowerDNS or trusted security advisories for updates or patches addressing this vulnerability and plan for timely upgrades once available. 6) Consider deploying redundant DNS infrastructure or failover mechanisms to maintain service availability in case of DoS conditions. 7) Conduct internal penetration testing or fuzzing of DoH inputs to validate resilience against malformed queries. These steps go beyond generic advice by focusing on configuration review, traffic monitoring, and infrastructure resilience specific to DNSdist and DoH usage.