CVE-2025-47950: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification
(updated )
A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.
References
- datatracker.ietf.org/doc/html/rfc9250
- github.com/advisories/GHSA-cvx7-x8pj-x2gw
- github.com/coredns/coredns
- github.com/coredns/coredns/commit/efaed02c6a480ec147b1f799aab7cf815b17dfe1
- github.com/coredns/coredns/security/advisories/GHSA-cvx7-x8pj-x2gw
- github.com/quic-go/quic-go
- nvd.nist.gov/vuln/detail/CVE-2025-47950
- www.usenix.org/conference/usenixsecurity23/presentation/botella
Code Behaviors & Features
Detect and mitigate CVE-2025-47950 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →