CVE-2025-47950 is a high-severity Denial of Service (DoS) vulnerability affecting CoreDNS versions prior to 1.12.2, specifically in its DNS-over-QUIC (DoQ) server implementation. CoreDNS is a widely used DNS server that supports chaining plugins and has recently integrated QUIC protocol support for DNS queries. The vulnerability arises from the server's handling of incoming QUIC streams: for every new QUIC stream, CoreDNS would spawn a new goroutine without any imposed limits on the number of concurrent streams or goroutines. This lack of throttling allows a remote, unauthenticated attacker to open a large number of QUIC streams simultaneously, causing uncontrolled memory consumption. In memory-constrained environments, such as containerized deployments, this can lead to an Out Of Memory (OOM) crash, effectively causing a denial of service. The vulnerability is classified under CWE-770, which concerns allocation of resources without limits or throttling. The patch introduced in CoreDNS version 1.12.2 mitigates this by implementing two key controls: 'max_streams' caps the number of concurrent QUIC streams per connection (default 256), and 'worker_pool_size' introduces a bounded worker pool (default 1024) to process streams, replacing the previous 1:1 stream-to-goroutine model. These changes ensure that CoreDNS can handle high concurrency without exhausting system resources. For users unable to upgrade immediately, workarounds include disabling QUIC support by removing or commenting out the 'quic://' block in the Corefile, applying container runtime resource limits to detect and isolate excessive memory usage, and monitoring QUIC connection patterns to alert on anomalies. The CVSS v3.1 score is 7.5 (high), reflecting the vulnerability's network attack vector, no required privileges or user interaction, and its impact on availability only.

European organizations relying on CoreDNS for DNS resolution, especially those using the DNS-over-QUIC feature, face significant risk from this vulnerability. A successful exploitation can cause service outages by crashing DNS servers due to memory exhaustion, disrupting critical network services and potentially impacting business operations, internal communications, and customer-facing applications. Containerized environments, common in modern European data centers and cloud deployments, are particularly vulnerable due to their limited memory allocation, increasing the likelihood of OOM conditions. Disruptions in DNS services can cascade, affecting web services, email, and other network-dependent applications. Additionally, unavailability of DNS can hinder incident response and security monitoring tools that rely on DNS resolution. Given the unauthenticated nature of the attack, any external attacker can attempt exploitation, increasing the threat surface. While no known exploits are currently reported in the wild, the presence of a public CVE and the availability of detailed technical information may lead to future exploitation attempts. Organizations in sectors with high availability requirements, such as finance, healthcare, and critical infrastructure, are especially at risk.

To effectively mitigate this vulnerability, European organizations should prioritize upgrading CoreDNS to version 1.12.2 or later, which includes the necessary patches to limit concurrent QUIC streams and implement a bounded worker pool. For environments where immediate upgrade is not feasible, disabling the DNS-over-QUIC feature by removing or commenting out the 'quic://' block in the Corefile is a practical interim measure. Organizations should also enforce strict container runtime resource limits to detect and contain excessive memory usage, preventing OOM crashes from affecting the host or other containers. Implementing monitoring and alerting on QUIC connection patterns can provide early detection of anomalous activity indicative of exploitation attempts. Network-level controls, such as rate limiting and firewall rules, can be configured to restrict the number of incoming QUIC connections or streams from untrusted sources. Additionally, organizations should review and update incident response plans to include scenarios involving DNS service disruption. Regular security audits and penetration testing focusing on DNS infrastructure resilience can help identify residual risks. Finally, maintaining up-to-date threat intelligence feeds and vendor advisories will ensure timely awareness of any emerging exploits related to this vulnerability.