CVE-2025-68151: CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

January 8, 2026

Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.

References

github.com/advisories/GHSA-527x-5wrf-22m2
github.com/coredns/coredns
github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812
github.com/coredns/coredns/pull/7490
github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2
nvd.nist.gov/vuln/detail/CVE-2025-68151

Code Behaviors & Features

Detect and mitigate CVE-2025-68151 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →