x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-cvx7-x8pj-x2gw

[GoVulnBot]

Advisory GHSA-cvx7-x8pj-x2gw references a vulnerability in the following Go modules:

Module
github.com/coredns/coredns

Description:

Summary

A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.

Impact

• Component: server_quic.go
• Attack Vector: Remote, ne...

References:

• ADVISORY: GHSA-cvx7-x8pj-x2gw
• ADVISORY: GHSA-cvx7-x8pj-x2gw
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-47950
• FIX: coredns/coredns@efaed02
• WEB: https://datatracker.ietf.org/doc/html/rfc9250
• WEB: https://github.com/quic-go/quic-go
• WEB: https://www.usenix.org/conference/usenixsecurity23/presentation/botella

Cross references:

• github.com/coredns/coredns appears in 6 other report(s):
  • data/excluded/GO-2023-1606.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-ch7v-37xg-75ph #1606) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1610.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-h828-v5pv-33qx #1610) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0368.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx #368)
  • data/reports/GO-2024-2785.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: CVE-2024-0874 #2785)
  • data/reports/GO-2024-3130.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-hfmw-7g3m-gj6q #3130)
  • data/reports/GO-2024-3134.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-h92q-fgpp-qhrq #3134)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/coredns/coredns
      non_go_versions:
        - fixed: 1.21.2
      vulnerable_at: 1.12.2
summary: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification in github.com/coredns/coredns
cves:
    - CVE-2025-47950
ghsas:
    - GHSA-cvx7-x8pj-x2gw
references:
    - advisory: https://github.com/advisories/GHSA-cvx7-x8pj-x2gw
    - advisory: https://github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-47950
    - fix: https://github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1
    - web: https://datatracker.ietf.org/doc/html/rfc9250
    - web: https://github.com/quic-go/quic-go
    - web: https://www.usenix.org/conference/usenixsecurity23/presentation/botella
source:
    id: GHSA-cvx7-x8pj-x2gw
    created: 2025-06-06T22:01:24.14919875Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/680495 mentions this issue: data/reports: add 6 reports