7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47950

CVE-2025-47950: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification

Summary

A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.

Impact

Component: server_quic.go
Attack Vector: Remote, network-based
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Impact: High availability loss (OOM kill or unresponsiveness)

This issue affects deployments with quic:// enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU.

Patches

The patch introduces two key mitigation mechanisms:

max_streams: Caps the number of concurrent QUIC streams per connection. Default: 256.
worker_pool_size: Introduces a server-wide, bounded worker pool to process incoming streams. Default: 1024.

This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. The new configuration options are exposed through the quic Corefile block:

quic {
    max_streams 256
    worker_pool_size 1024
}

These defaults are generous and aligned with typical DNS-over-QUIC client behavior.

Workarounds

If you're unable to upgrade immediately, you can:

Disable QUIC support by removing or commenting out the quic:// block in your Corefile
Use container runtime resource limits to detect and isolate excessive memory usage
Monitor QUIC connection patterns and alert on anomalies

References

Credit

Thanks to @thevilledev for disclovering this vulnerability and contributing a high-quality fix.

For more information

Please consult our security guide for more information regarding our security process.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-47950

CVE-2025-47950:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/coredns/coredns	go	< 1.21.2	1.21.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a Denial of Service (DoS) in CoreDNS's DNS-over-QUIC (DoQ) server, caused by uncontrolled memory consumption due to an unlimited number of goroutines being created for incoming QUIC streams. The analysis of the provided patch (commit efaed02c6a480ec147b1f799aab7cf815b17dfe1) pinpoints the vulnerable behavior to the serveQUICConnection method in core/dnsserver/server_quic.go.

In the vulnerable code, serveQUICConnection would accept a new QUIC connection and then, in a loop, accept streams on that connection. For each stream, it directly launched a new goroutine using go s.serveQUICStream(stream, conn). This 1:1 mapping of stream to goroutine, without any cap on the total number of goroutines, is the root cause of the memory exhaustion vulnerability. An attacker could establish a QUIC connection and then open a very large number of streams, each triggering the creation of a new goroutine, eventually overwhelming the server's memory resources.

The patch mitigates this by introducing two main changes visible in serveQUICConnection and its setup in NewServerQUIC:

A server-wide bounded worker pool (streamProcessPool) is introduced. Now, instead of directly spawning a goroutine, serveQUICConnection attempts to acquire a worker from this pool before launching the goroutine. This limits the total number of concurrently running serveQUICStream goroutines across all connections.
A per-connection stream limit (maxStreams) is also introduced, configured in NewServerQUIC and applied to the quic.Config. While this helps, the primary defense against goroutine exhaustion is the worker pool.

The function (*ServerQUIC).serveQUICConnection is therefore identified as the vulnerable function because it contained the logic that directly led to the unbounded creation of goroutines based on attacker-controlled input (number of streams). During exploitation, this function would be actively creating these goroutines, and its activity (or the subsequent OOM) would be a key indicator.

The function NewServerQUIC was modified to initialize these new limiting mechanisms, and is the function executed by each goroutine. However, the vulnerability—the act of creating too many goroutines—resides in .

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-47950: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification

Summary

Impact

Patches

Workarounds

References

Credit

For more information

CVE-2025-47950:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerability IntelligenceMiggo AI

CVE-2025-47950: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification

Summary

Impact

Patches

Workarounds

References

Credit

For more information

Technical Details

7.5

7.5

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI