oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange

From: Remi Gacogne <remi.gacogne () powerdns com>
Date: Thu, 18 Sep 2025 11:25:20 +0200
Hi all,
Today we have released PowerDNS DNSdist 1.9.11 and 2.0.1. These releases fix PowerDNS Security Advisory 2025-05 for DNSdist, a denial of service via crafted DoH exchange. While working on adding mitigations against the MadeYouReset (CVE-2025-8671) attack, we noticed a potential denial of service in our DNS over HTTPS implementation when using the nghttp2 provider: an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. We assigned CVE-2025-30187 to this issue. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected. 

The full security advisory is provided below, and can also be
found at
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-05.html

Minimal patches can also be found here:
https://downloads.powerdns.com/patches/2025-05/

Please feel free to contact me directly if you have any question.
PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange 

- CVE: CVE-2025-30187
- Date: 2025-09-18T12:00:00+02:00
- Discovery date: 2025-08-26T00:00:00+02:00
- Affects: PowerDNS DNSdist from 1.9.0 to 1.9.10, 2.0.0
- Not affected: PowerDNS DNSdist < 1.9.0, 1.9.11, 2.0.1
- Severity: Low
- Impact: Denial of service
- Exploit: This problem can be triggered by an attacker crafting a DoH exchange 
- Risk of system compromise: None
- Solution: Upgrade to patched version or use the h2o provider
- CWE: CWE-835
- CVSS: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- Last affected: 1.9.10,2.0.0
- First fixed: 1.9.11,2.0.1
- Internal ID: 308
In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected. 

The remedy is: upgrade to a patched version, or switch to the h2o provider.


Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: