CVE-2025-30194 is a high-severity vulnerability affecting PowerDNS DNSdist version 1.9.0 when configured to provide DNS over HTTPS (DoH) via the nghttp2 provider. The vulnerability is classified as a Use-After-Free (CWE-416) flaw, specifically a double-free memory error. An attacker can exploit this by crafting a malicious DoH exchange that triggers illegal memory access within DNSdist, causing the application to crash. This results in a denial of service (DoS) condition, disrupting DNS resolution services provided by DNSdist. The vulnerability does not impact confidentiality or integrity but solely affects availability. Exploitation requires no privileges or user interaction and can be performed remotely over the network. The vendor has released a patched version 1.9.9 to remediate the issue. As a temporary workaround, administrators can switch the DoH provider from nghttp2 to h2o until the upgrade is applied. There are no known exploits in the wild at the time of publication, but the ease of exploitation and the critical role of DNS infrastructure make this a significant threat. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low complexity, no privileges required, and no user interaction needed, with impact limited to availability.

For European organizations, this vulnerability poses a risk primarily to the availability of DNS services when DNSdist is deployed as a DoH proxy or load balancer using the nghttp2 provider. DNSdist is widely used in DNS infrastructure for performance and security enhancements, including in ISPs, enterprises, and critical infrastructure providers. A successful attack could cause DNS resolution failures, leading to service outages, degraded network performance, and potential cascading effects on dependent applications and services. This is particularly critical for organizations relying on DNSdist for DoH, which is increasingly adopted to enhance DNS privacy and security. Disruptions could affect financial institutions, government agencies, telecommunications providers, and cloud service operators across Europe, potentially impacting end-users and business continuity. While no data breach or integrity compromise is expected, the denial of service could be leveraged in larger multi-vector attacks or cause operational disruptions during peak usage or critical events.

1. Immediate upgrade to PowerDNS DNSdist version 1.9.9 or later, which contains the patch fixing the double-free vulnerability. 2. Until the upgrade can be applied, reconfigure DNSdist to use the h2o DoH provider instead of nghttp2 to mitigate the risk of exploitation. 3. Implement network-level protections such as rate limiting and anomaly detection on DoH traffic to identify and block suspicious or malformed DoH requests that could trigger the vulnerability. 4. Monitor DNSdist logs and system stability closely for signs of crashes or unusual behavior indicative of attempted exploitation. 5. Maintain an inventory of DNSdist deployments and their configurations to ensure all instances using nghttp2 for DoH are identified and remediated promptly. 6. Coordinate with upstream providers and partners to share threat intelligence and ensure a unified response to potential exploitation attempts. 7. Consider deploying redundant DNS infrastructure and failover mechanisms to minimize service disruption in case of an attack exploiting this vulnerability.