Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-527x-5wrf-22m2

CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages
Back to all
CVE

GHSA-527x-5wrf-22m2

CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.

Impact

1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)

The affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:

  • Open many parallel connections
  • Rapidly issue requests without limit
  • Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer

Testing demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.

2. Missing message-size validation in the gRPC server

The gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.

This vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.

Result:

In all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.

Patches

v1.14.0

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.6
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Related Resources

No items found.

References

https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2, https://nvd.nist.gov/vuln/detail/CVE-2025-68151, https://github.com/coredns/coredns/pull/7490, https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812, https://github.com/coredns/coredns

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00093%
EPSS Percentile
0.2656%
Introduced Version
0,v1.13.2,v0.0.0-20251121040159-d3e13fe05d8e,v1.11.0,v0.0.0-20230731193431-cc7a36463325,v1.1.4,v0.0.0-20180601083420-0df5eb98fed3,v1.1.3,v0.0.0-20180521184046-18b92e1117b6,v1.1.1,v0.0.0-20180318130956-93ade7c432dd,v0.9.9,v0.0.0-20170614163710-e49ca86ce463,v0.0.0-20170313202437-bfaf9e0aecc7
Fix Available
1.14.0,v1.14.0,v0.0.0-20251218030859-0d8cbb1a6bcb

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading