CVE-2025-47950: CWE-770: Allocation of Resources Without Limits or Throttling in coredns coredns
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.
AI Analysis
Technical Summary
CVE-2025-47950 is a high-severity Denial of Service (DoS) vulnerability affecting CoreDNS versions prior to 1.12.2, specifically in its DNS-over-QUIC (DoQ) server implementation. CoreDNS is a widely used DNS server that supports chaining plugins and has recently integrated QUIC protocol support for DNS queries. The vulnerability arises from the server's handling of incoming QUIC streams: for every new QUIC stream, CoreDNS would spawn a new goroutine without any imposed limits on the number of concurrent streams or goroutines. This lack of throttling allows a remote, unauthenticated attacker to open a large number of QUIC streams simultaneously, causing uncontrolled memory consumption. In memory-constrained environments, such as containerized deployments, this can lead to an Out Of Memory (OOM) crash, effectively causing a denial of service. The vulnerability is classified under CWE-770, which concerns allocation of resources without limits or throttling. The patch introduced in CoreDNS version 1.12.2 mitigates this by implementing two key controls: 'max_streams' caps the number of concurrent QUIC streams per connection (default 256), and 'worker_pool_size' introduces a bounded worker pool (default 1024) to process streams, replacing the previous 1:1 stream-to-goroutine model. These changes ensure that CoreDNS can handle high concurrency without exhausting system resources. For users unable to upgrade immediately, workarounds include disabling QUIC support by removing or commenting out the 'quic://' block in the Corefile, applying container runtime resource limits to detect and isolate excessive memory usage, and monitoring QUIC connection patterns to alert on anomalies. The CVSS v3.1 score is 7.5 (high), reflecting the vulnerability's network attack vector, no required privileges or user interaction, and its impact on availability only.
Potential Impact
European organizations relying on CoreDNS for DNS resolution, especially those using the DNS-over-QUIC feature, face significant risk from this vulnerability. A successful exploitation can cause service outages by crashing DNS servers due to memory exhaustion, disrupting critical network services and potentially impacting business operations, internal communications, and customer-facing applications. Containerized environments, common in modern European data centers and cloud deployments, are particularly vulnerable due to their limited memory allocation, increasing the likelihood of OOM conditions. Disruptions in DNS services can cascade, affecting web services, email, and other network-dependent applications. Additionally, unavailability of DNS can hinder incident response and security monitoring tools that rely on DNS resolution. Given the unauthenticated nature of the attack, any external attacker can attempt exploitation, increasing the threat surface. While no known exploits are currently reported in the wild, the presence of a public CVE and the availability of detailed technical information may lead to future exploitation attempts. Organizations in sectors with high availability requirements, such as finance, healthcare, and critical infrastructure, are especially at risk.
Mitigation Recommendations
To effectively mitigate this vulnerability, European organizations should prioritize upgrading CoreDNS to version 1.12.2 or later, which includes the necessary patches to limit concurrent QUIC streams and implement a bounded worker pool. For environments where immediate upgrade is not feasible, disabling the DNS-over-QUIC feature by removing or commenting out the 'quic://' block in the Corefile is a practical interim measure. Organizations should also enforce strict container runtime resource limits to detect and contain excessive memory usage, preventing OOM crashes from affecting the host or other containers. Implementing monitoring and alerting on QUIC connection patterns can provide early detection of anomalous activity indicative of exploitation attempts. Network-level controls, such as rate limiting and firewall rules, can be configured to restrict the number of incoming QUIC connections or streams from untrusted sources. Additionally, organizations should review and update incident response plans to include scenarios involving DNS service disruption. Regular security audits and penetration testing focusing on DNS infrastructure resilience can help identify residual risks. Finally, maintaining up-to-date threat intelligence feeds and vendor advisories will ensure timely awareness of any emerging exploits related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2025-47950: CWE-770: Allocation of Resources Without Limits or Throttling in coredns coredns
Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.
AI-Powered Analysis
Technical Analysis
CVE-2025-47950 is a high-severity Denial of Service (DoS) vulnerability affecting CoreDNS versions prior to 1.12.2, specifically in its DNS-over-QUIC (DoQ) server implementation. CoreDNS is a widely used DNS server that supports chaining plugins and has recently integrated QUIC protocol support for DNS queries. The vulnerability arises from the server's handling of incoming QUIC streams: for every new QUIC stream, CoreDNS would spawn a new goroutine without any imposed limits on the number of concurrent streams or goroutines. This lack of throttling allows a remote, unauthenticated attacker to open a large number of QUIC streams simultaneously, causing uncontrolled memory consumption. In memory-constrained environments, such as containerized deployments, this can lead to an Out Of Memory (OOM) crash, effectively causing a denial of service. The vulnerability is classified under CWE-770, which concerns allocation of resources without limits or throttling. The patch introduced in CoreDNS version 1.12.2 mitigates this by implementing two key controls: 'max_streams' caps the number of concurrent QUIC streams per connection (default 256), and 'worker_pool_size' introduces a bounded worker pool (default 1024) to process streams, replacing the previous 1:1 stream-to-goroutine model. These changes ensure that CoreDNS can handle high concurrency without exhausting system resources. For users unable to upgrade immediately, workarounds include disabling QUIC support by removing or commenting out the 'quic://' block in the Corefile, applying container runtime resource limits to detect and isolate excessive memory usage, and monitoring QUIC connection patterns to alert on anomalies. The CVSS v3.1 score is 7.5 (high), reflecting the vulnerability's network attack vector, no required privileges or user interaction, and its impact on availability only.
Potential Impact
European organizations relying on CoreDNS for DNS resolution, especially those using the DNS-over-QUIC feature, face significant risk from this vulnerability. A successful exploitation can cause service outages by crashing DNS servers due to memory exhaustion, disrupting critical network services and potentially impacting business operations, internal communications, and customer-facing applications. Containerized environments, common in modern European data centers and cloud deployments, are particularly vulnerable due to their limited memory allocation, increasing the likelihood of OOM conditions. Disruptions in DNS services can cascade, affecting web services, email, and other network-dependent applications. Additionally, unavailability of DNS can hinder incident response and security monitoring tools that rely on DNS resolution. Given the unauthenticated nature of the attack, any external attacker can attempt exploitation, increasing the threat surface. While no known exploits are currently reported in the wild, the presence of a public CVE and the availability of detailed technical information may lead to future exploitation attempts. Organizations in sectors with high availability requirements, such as finance, healthcare, and critical infrastructure, are especially at risk.
Mitigation Recommendations
To effectively mitigate this vulnerability, European organizations should prioritize upgrading CoreDNS to version 1.12.2 or later, which includes the necessary patches to limit concurrent QUIC streams and implement a bounded worker pool. For environments where immediate upgrade is not feasible, disabling the DNS-over-QUIC feature by removing or commenting out the 'quic://' block in the Corefile is a practical interim measure. Organizations should also enforce strict container runtime resource limits to detect and contain excessive memory usage, preventing OOM crashes from affecting the host or other containers. Implementing monitoring and alerting on QUIC connection patterns can provide early detection of anomalous activity indicative of exploitation attempts. Network-level controls, such as rate limiting and firewall rules, can be configured to restrict the number of incoming QUIC connections or streams from untrusted sources. Additionally, organizations should review and update incident response plans to include scenarios involving DNS service disruption. Regular security audits and penetration testing focusing on DNS infrastructure resilience can help identify residual risks. Finally, maintaining up-to-date threat intelligence feeds and vendor advisories will ensure timely awareness of any emerging exploits related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-14T10:32:43.531Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6843296371f4d251b5d5b4e6
Added to database: 6/6/2025, 5:46:11 PM
Last enriched: 7/8/2025, 11:25:05 AM
Last updated: 8/11/2025, 10:15:10 PM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.