Open
Description
Advisory GHSA-cvx7-x8pj-x2gw references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/coredns/coredns |
Description:
Summary
A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.
Impact
- Component:
server_quic.go - Attack Vector: Remote, ne...
References:
- ADVISORY: GHSA-cvx7-x8pj-x2gw
- ADVISORY: GHSA-cvx7-x8pj-x2gw
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-47950
- FIX: coredns/coredns@efaed02
- WEB: https://datatracker.ietf.org/doc/html/rfc9250
- WEB: https://github.com/quic-go/quic-go
- WEB: https://www.usenix.org/conference/usenixsecurity23/presentation/botella
Cross references:
- github.com/coredns/coredns appears in 6 other report(s):
- data/excluded/GO-2023-1606.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-ch7v-37xg-75ph #1606) EFFECTIVELY_PRIVATE
- data/excluded/GO-2023-1610.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-h828-v5pv-33qx #1610) EFFECTIVELY_PRIVATE
- data/reports/GO-2022-0368.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx #368)
- data/reports/GO-2024-2785.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: CVE-2024-0874 #2785)
- data/reports/GO-2024-3130.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-hfmw-7g3m-gj6q #3130)
- data/reports/GO-2024-3134.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-h92q-fgpp-qhrq #3134)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/coredns/coredns
non_go_versions:
- fixed: 1.21.2
vulnerable_at: 1.12.2
summary: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification in github.com/coredns/coredns
cves:
- CVE-2025-47950
ghsas:
- GHSA-cvx7-x8pj-x2gw
references:
- advisory: https://github.com/advisories/GHSA-cvx7-x8pj-x2gw
- advisory: https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47950
- fix: https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1
- web: https://datatracker.ietf.org/doc/html/rfc9250
- web: https://github.com/quic-go/quic-go
- web: https://www.usenix.org/conference/usenixsecurity23/presentation/botella
source:
id: GHSA-cvx7-x8pj-x2gw
created: 2025-06-06T22:01:24.14919875Z
review_status: UNREVIEWED