CVE-2025-48945 Overview
CVE-2025-48945 is a use-after-free vulnerability [CWE-416] in pycares, a Python module that provides bindings to the c-ares asynchronous DNS resolution library. The flaw affects pycares versions prior to 4.9.0. The vulnerability triggers when a Channel object is garbage collected while DNS queries remain pending, producing a fatal Python error and interpreter crash. Downstream projects such as aiodns are also impacted and require the patched dependency.
Critical Impact
Remote attackers can trigger an interpreter crash in any Python application that uses pycares for DNS resolution, resulting in denial of service for services such as async HTTP clients, scanners, and resolvers.
Affected Products
- pycares versions prior to 4.9.0
- aiodns versions prior to 3.5.0 (transitive dependency)
- Python applications and services using pycares.Channel for asynchronous DNS
Discovery Timeline
- 2025-06-20 - CVE-2025-48945 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-48945
Vulnerability Analysis
The vulnerability resides in the lifecycle management of the pycares Channel object. The Channel wraps a native c-ares resolver context that tracks in-flight DNS queries and their callbacks. When Python's garbage collector reclaims a Channel instance while queries are still pending, the underlying c-ares structures are destroyed without first canceling or draining outstanding requests. Subsequent callback invocations dereference freed memory, producing a fatal interpreter error.
The defect is classified under CWE-416 (Use After Free). The attack vector is network-based because remote DNS responses or remote-controlled hostnames can influence when queries complete relative to channel destruction. Any service that resolves attacker-influenced names while channels are transient is exposed to denial of service.
Root Cause
The root cause is the absence of a safe shutdown path between the Python Channel wrapper and the native c-ares channel. Prior to 4.9.0, channel destruction during garbage collection raced against pending query callbacks. The maintainers addressed this by introducing a thread-safe close() method and a serialized destruction queue that processes one channel per second to guarantee c-ares teardown safety.
Attack Vector
Exploitation requires only that a target application create and destroy pycares Channel objects while queries are outstanding. Attackers who can induce slow or never-resolving DNS lookups, or who can prolong query lifetimes through controlled authoritative servers, can reliably race channel garbage collection. The result is an interpreter crash and loss of service availability.
# Patched usage pattern from pycares 4.9.0 (examples/cares-asyncio-event-thread.py)
import asyncio
import socket
from typing import Any, Callable, Optional
import pycares
class DNSResolver:
def __init__(self, loop: Optional[asyncio.AbstractEventLoop] = None) -> None:
# Use event_thread=True for automatic event handling in a separate thread
self._channel = pycares.Channel(event_thread=True)
self.loop = loop or asyncio.get_running_loop()
def query(
self, name: str, query_type: int, cb: Callable[[Any, Optional[int]], None]
) -> None:
self._channel.query(name, query_type, cb)
def gethostbyname(
self, name: str, cb: Callable[[Any, Optional[int]], None]
) -> None:
self._channel.gethostbyname(name, socket.AF_INET, cb)
def close(self) -> None:
"""Thread-safe shutdown of the channel."""
# Simply call close() - it's thread-safe and handles everything
self._channel.close()
Source: pycares commit ebfd7d71
Detection Methods for CVE-2025-48945
Indicators of Compromise
- Unexpected Fatal Python error messages in application logs referencing pycares or c-ares callbacks
- Repeated worker or process restarts in services that perform asynchronous DNS resolution
- Core dumps or crash artifacts originating from Python processes linked against libcares
Detection Strategies
- Inventory Python environments and identify installations of pycares below version 4.9.0 and aiodns below 3.5.0 using pip list or SBOM tooling.
- Monitor process supervisors for abnormal Python interpreter exit codes correlated with DNS-heavy workloads.
- Review CI and dependency scanning output for GitHub Security Advisory GHSA-5qpg-rh4j-qp35.
Monitoring Recommendations
- Alert on Python process crashes that emit stack traces involving pycares.Channel or ares_destroy.
- Track DNS query latency and timeout rates to identify conditions that increase the likelihood of channel destruction races.
- Audit application code paths that instantiate transient Channel objects per request rather than reusing a long-lived instance.
How to Mitigate CVE-2025-48945
Immediate Actions Required
- Upgrade pycares to version 4.9.0 or later across all Python environments.
- Upgrade aiodns to 3.5.0 or later to pull in the patched pycares dependency.
- Refactor application code to reuse a single long-lived Channel instance and explicitly call close() rather than relying on garbage collection.
Patch Information
The fix is delivered in pycares 4.9.0 and aiodns 3.5.0. The pycares patch introduces a thread-safe channel destruction mechanism with a serialized teardown queue limited to 60 channels per minute. Refer to the GitHub Security Advisory GHSA-5qpg-rh4j-qp35, the pycares v4.9.0 release, and the aiodns v3.5.0 release for full details.
Workarounds
- Avoid creating transient Channel objects per DNS query; instantiate one resolver and reuse it for the lifetime of the application.
- Wrap channel usage in the context manager protocol or call channel.close() explicitly before allowing references to drop.
- For applications with high query volume, implement a small channel pool rather than ad-hoc creation and destruction.
# Upgrade the vulnerable packages
pip install --upgrade 'pycares>=4.9.0' 'aiodns>=3.5.0'
# Verify installed versions
python -c "import pycares; print(pycares.__version__)"
python -c "import aiodns; print(aiodns.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
