6.6

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68151

CVE-2025-68151: CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.

Impact

1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)

The affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:

Open many parallel connections
Rapidly issue requests without limit
Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer

Testing demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.

2. Missing message-size validation in the gRPC server

The gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.

This vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.

Result:

In all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.

Patches

v1.14.0

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68151

CVE-2025-68151:

6.6

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/coredns/coredns	go	< 1.14.0	1.14.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a lack of resource limiting in CoreDNS's gRPC, HTTPS, and HTTP/3 servers, which allows an unauthenticated remote attacker to cause a denial of service through memory exhaustion. The analysis of the provided patch (0d8cbb1a6bcb6bc9c1a489865278b8725fa20812) confirms this.

gRPC Server DoS: The dnsserver.(*ServergRPC).Serve function was vulnerable because it initialized the gRPC server without any connection or stream limits. The patch applies limits using netutil.LimitListener for connections and grpc.MaxConcurrentStreams for streams. Furthermore, the dnsserver.(*ServergRPC).Query function was vulnerable to oversized messages, as it did not validate the message size before processing. The patch adds a crucial size check to prevent this.
HTTPS Server DoS: The dnsserver.(*ServerHTTPS).Serve function was vulnerable as it did not limit the number of concurrent connections. The patch integrates netutil.LimitListener to enforce a connection limit, preventing connection exhaustion attacks.
HTTP/3 Server DoS: The dnsserver.NewServerHTTPS3 function, which sets up the HTTP/3 server, failed to configure a limit on concurrent QUIC streams. The patch rectifies this by setting the MaxIncomingStreams and MaxIncomingUniStreams properties on the QUIC transport configuration, mitigating the risk of stream-based resource exhaustion.

In summary, the identified functions are the precise locations where resource limits were absent, making them the entry points for the denial-of-service attacks described. The patch systematically adds the necessary checks and configurations to harden these servers.

Vulnerable functions

dnsserver.(*ServergRPC).Query

core/dnsserver/server_grpc.go

This function processes incoming gRPC DNS queries. Before the patch, it lacked a size check on the incoming message (`in.GetMsg()`). An attacker could send an arbitrarily large message, and the server would attempt to unpack it, leading to excessive memory allocation and a denial of service. The patch adds a check to ensure the message size does not exceed the standard DNS message size limit.

dnsserver.(*ServergRPC).Serve

core/dnsserver/server_grpc.go

This function starts the gRPC server. Prior to the patch, it did not configure any limits on concurrent connections, concurrent streams, or message sizes. This allowed an attacker to exhaust server memory by opening a large number of connections and streams. The patch introduces `netutil.LimitListener` to cap connections and adds gRPC server options (`MaxConcurrentStreams`, `MaxRecvMsgSize`) to limit streams and message sizes.

dnsserver.(*ServerHTTPS).Serve

core/dnsserver/server_https.go

This function starts the DNS-over-HTTPS server. Before the patch, it did not enforce a limit on the number of concurrent connections. An attacker could open an unlimited number of connections, leading to memory exhaustion and a denial of service. The patch mitigates this by using `netutil.LimitListener` to enforce a connection limit.

dnsserver.NewServerHTTPS3

core/dnsserver/server_https3.go

This function is responsible for creating and configuring the DNS-over-HTTP/3 server. The vulnerability lies in the fact that it did not set any limits on the number of concurrent QUIC streams per connection. An attacker could exploit this by opening a large number of streams on a single connection, exhausting server resources. The patch adds logic to configure `MaxIncomingStreams` and `MaxIncomingUniStreams` on the `quic.Config`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68151: CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

Impact

1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)

2. Missing message-size validation in the gRPC server

Result:

Patches

CVE-2025-68151:

6.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-68151: CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages

Impact

1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)

2. Missing message-size validation in the gRPC server

Result:

Patches

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.6

6.6

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI