Skip to content

x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-cvx7-x8pj-x2gw #3743

Open
@GoVulnBot

Description

@GoVulnBot

Advisory GHSA-cvx7-x8pj-x2gw references a vulnerability in the following Go modules:

Module
github.com/coredns/coredns

Description:

Summary

A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.

Impact

  • Component: server_quic.go
  • Attack Vector: Remote, ne...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/coredns/coredns
      non_go_versions:
        - fixed: 1.21.2
      vulnerable_at: 1.12.2
summary: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification in github.com/coredns/coredns
cves:
    - CVE-2025-47950
ghsas:
    - GHSA-cvx7-x8pj-x2gw
references:
    - advisory: https://github.com/advisories/GHSA-cvx7-x8pj-x2gw
    - advisory: https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47950
    - fix: https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1
    - web: https://datatracker.ietf.org/doc/html/rfc9250
    - web: https://github.com/quic-go/quic-go
    - web: https://www.usenix.org/conference/usenixsecurity23/presentation/botella
source:
    id: GHSA-cvx7-x8pj-x2gw
    created: 2025-06-06T22:01:24.14919875Z
review_status: UNREVIEWED

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions