CVE-2025-30187

Denial of service via crafted DoH exchange in PowerDNS DNSdist

CVSS 3.7 LOWEPSS 0.3%CWE-835

Vexday Risk Score

8Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 3.7EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 set 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Produtos afetados

PowerDNS · DNSdist

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html http://www.openwall.com/lists/oss-security/2025/09/18/1