CVE-2025-47950 in CoreDNSinfo

Summary

by MITRE • 06/06/2025

CoreDNS is a DNS server that chains plugins. In versions prior to 1.21.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch in version 1.21.2 introduces two key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://` block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage, and/or monitor QUIC connection patterns and alert on anomalies.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 08/15/2025

CoreDNS serves as a widely deployed DNS server that operates through a plugin architecture enabling flexible DNS service implementations. The vulnerability identified as CVE-2025-47950 specifically targets the DNS-over-QUIC implementation within CoreDNS, exposing a critical denial of service weakness in versions prior to 1.21.2. This flaw stems from the server's lack of concurrency controls when handling QUIC streams, creating an environment where malicious actors can exploit the system's resource management limitations. The QUIC protocol's stream-based architecture allows for multiple concurrent data exchanges within a single connection, but without proper limiting mechanisms, CoreDNS was susceptible to resource exhaustion attacks. The vulnerability manifests through the creation of an unbounded number of goroutines, with each incoming QUIC stream triggering a dedicated execution thread, leading to exponential resource consumption.

The technical implementation flaw resides in CoreDNS's handling of QUIC streams where the server maintained a one-to-one mapping between incoming streams and goroutines without any upper bounds on concurrent execution. This design pattern violates fundamental resource management principles and creates an attack surface where an unauthenticated remote adversary can initiate numerous concurrent streams to overwhelm system resources. The absence of stream limits means that each connection can spawn unlimited goroutines, consuming memory and CPU resources at an uncontrolled rate. In containerized environments where memory constraints are strict, this vulnerability becomes particularly dangerous as the system quickly exhausts available memory resources leading to Out Of Memory crashes that can bring down the entire DNS service. The vulnerability maps directly to CWE-400, which addresses "Uncontrolled Resource Consumption" and aligns with ATT&CK technique T1499.1 for "Endpoint Denial of Service" through resource exhaustion.

The operational impact of this vulnerability extends beyond simple service disruption to encompass complete system instability in memory-constrained deployments. When an attacker opens numerous concurrent QUIC streams, the system experiences rapid memory allocation that eventually leads to OOM conditions causing process termination and DNS service unavailability. This affects organizations that rely on CoreDNS for critical infrastructure services, particularly those operating in cloud environments where resource limits are enforced but can be bypassed through such attacks. The vulnerability's exploitation requires minimal privileges and can be executed remotely, making it particularly dangerous for public-facing DNS servers. The default configuration of CoreDNS makes this vulnerability exploitable in typical deployment scenarios without requiring special access or insider knowledge.

The patch implemented in CoreDNS version 1.21.2 addresses this vulnerability through two primary mechanisms that fundamentally alter the server's concurrency model. The introduction of `max_streams` parameter establishes per-connection limits on concurrent QUIC streams, defaulting to 256 streams per connection which prevents a single connection from overwhelming system resources. Additionally, the `worker_pool_size` parameter implements a bounded worker pool approach that processes incoming streams using a fixed number of worker threads rather than creating unlimited goroutines. This server-wide bounded approach eliminates the 1:1 stream-to-goroutine relationship that was the root cause of the vulnerability, providing a more controlled and predictable resource consumption pattern. The mitigation strategy aligns with industry best practices for preventing resource exhaustion attacks and follows the principle of least privilege in resource allocation. Organizations unable to upgrade can implement several workarounds including disabling QUIC support entirely, implementing container runtime resource limits to detect and isolate excessive memory usage, and deploying monitoring solutions to detect anomalous QUIC connection patterns that may indicate exploitation attempts.

The security implications of this vulnerability extend to broader DNS infrastructure stability, as CoreDNS is widely deployed across enterprise and cloud environments. The DoS attack vector could potentially be used in coordinated attacks against multiple DNS servers simultaneously, amplifying the impact on network availability. The vulnerability's presence in widely-used DNS infrastructure components underscores the importance of proper resource management in network services and highlights how seemingly minor architectural decisions can create significant security risks. Organizations should prioritize upgrading to CoreDNS 1.21.2 or implementing the suggested workarounds to protect against this vulnerability, as the attack surface remains relevant for systems that continue to operate with vulnerable configurations. The mitigation approach demonstrates a shift toward more resilient system design that incorporates resource limits and bounded execution models to prevent similar vulnerabilities from emerging in future implementations.

Responsible

GitHub M

Reservation

05/14/2025

Disclosure

06/06/2025

Moderation

accepted

CPE

ready

EPSS

0.01132

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!