CVE-2025-30187

Denial of service via crafted DoH exchange in PowerDNS DNSdist

CVSS 3.7 LOWEPSS 0.3%CWE-835

Vexday Risk Score

8Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 3.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 sep 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Productos afectados

PowerDNS · DNSdist

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html http://www.openwall.com/lists/oss-security/2025/09/18/1