Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68151

CVE-2025-68151: CoreDNS Server DoS Vulnerability

CVE-2025-68151 is a denial-of-service vulnerability in CoreDNS server affecting gRPC, HTTPS, and HTTP/3 implementations. Attackers can exhaust memory through unlimited connections. This guide covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-68151 Overview

CVE-2025-68151 affects CoreDNS, a plugin-chained DNS server widely deployed in Kubernetes clusters and cloud-native environments. Versions prior to 1.14.0 lack resource-limiting controls in the gRPC, HTTPS, and HTTP/3 server implementations. An unauthenticated remote attacker can open many concurrent connections, create excessive streams, or send oversized request bodies to exhaust server memory. The condition degrades or crashes the CoreDNS process, disrupting name resolution for dependent services. The flaw is classified under [CWE-770] (Allocation of Resources Without Limits or Throttling) and resembles CVE-2025-47950, which affected the QUIC server path. Version 1.14.0 contains the patch.

Critical Impact

Unauthenticated attackers can crash CoreDNS instances over the network, disrupting DNS resolution across entire Kubernetes clusters and dependent workloads.

Affected Products

  • CoreDNS versions prior to 1.14.0
  • CoreDNS gRPC server implementation
  • CoreDNS HTTPS and HTTP/3 server implementations

Discovery Timeline

  • 2026-01-08 - CVE-2025-68151 published to NVD
  • 2026-01-22 - Last updated in NVD database

Technical Details for CVE-2025-68151

Vulnerability Analysis

The vulnerability stems from missing connection, stream, and message size limits across three CoreDNS server transports. The gRPC, HTTPS, and HTTP/3 listeners accept client requests without enforcing upper bounds on concurrent connections per client, streams per connection, or request body sizes. An attacker can repeatedly establish sessions and submit large payloads, forcing the Go runtime to allocate memory that is never released until process termination.

This is a denial-of-service condition with no impact on confidentiality or integrity. The attack requires only network reachability to the affected server endpoint. CoreDNS deployments exposing alternative transports such as DNS over HTTPS (DoH) or gRPC to untrusted networks are most exposed. The EPSS score is 0.213%.

Root Cause

The CoreDNS server modules for gRPC, HTTPS, and HTTP/3 did not configure server-side limits such as MaxConcurrentStreams, maximum read body size, or per-connection rate controls. Go HTTP and gRPC servers default to permissive values that allow clients to consume unbounded resources. The patch in pull request #7490 introduces explicit limits across these listeners.

Attack Vector

An unauthenticated remote attacker connects to a CoreDNS server exposing gRPC, HTTPS, or HTTP/3 transports. The attacker opens many concurrent connections or streams, or sends oversized request bodies. Each request causes memory allocation inside the CoreDNS process. As allocations accumulate, the server becomes unresponsive or terminates due to out-of-memory conditions. The attack does not require valid DNS queries or any prior authentication. Refer to the GitHub Security Advisory GHSA-527x-5wrf-22m2 for additional technical detail.

Detection Methods for CVE-2025-68151

Indicators of Compromise

  • Sudden spikes in CoreDNS process memory consumption without a corresponding increase in legitimate query volume
  • Repeated CoreDNS pod restarts or out-of-memory (OOM) kill events in Kubernetes clusters
  • High volumes of concurrent connections to CoreDNS gRPC, HTTPS, or HTTP/3 listener ports from a small number of source addresses
  • Abnormally large request bodies received on DoH or gRPC endpoints

Detection Strategies

  • Monitor CoreDNS process metrics including resident memory, goroutine count, and active connections via the Prometheus /metrics endpoint
  • Inspect network flow telemetry for sustained connection rates against CoreDNS alternative transports from single sources
  • Correlate container restart events in Kubernetes with DNS resolution failures across workloads

Monitoring Recommendations

  • Alert on CoreDNS memory usage exceeding established baseline thresholds
  • Track coredns_dns_requests_total against coredns_panics_total and pod restart counters
  • Log and review source IP addresses initiating large numbers of gRPC or HTTPS connections to CoreDNS

How to Mitigate CVE-2025-68151

Immediate Actions Required

  • Upgrade CoreDNS to version 1.14.0 or later across all clusters and standalone deployments
  • Restrict network exposure of CoreDNS gRPC, HTTPS, and HTTP/3 listeners to trusted client ranges only
  • Apply NetworkPolicy rules in Kubernetes to limit pod ingress to CoreDNS to authorized namespaces
  • Configure resource limits on CoreDNS pods to contain memory exhaustion blast radius

Patch Information

The fix is available in CoreDNS 1.14.0. The relevant change is committed at GitHub commit 0d8cbb1 and discussed in pull request #7490. The patch enforces connection limits, stream limits, and message size constraints across the gRPC, HTTPS, and HTTP/3 server paths.

Workarounds

  • Disable unused CoreDNS server transports by removing grpc, tls, or HTTP/3 directives from the Corefile if not required
  • Place a reverse proxy or service mesh sidecar in front of CoreDNS to enforce connection and rate limits upstream
  • Apply firewall or cloud security group rules to limit inbound connections to CoreDNS service ports
  • Set strict pod memory limits and restartPolicy to recover from OOM conditions while patching is scheduled
bash
# Example: restrict CoreDNS ingress with a Kubernetes NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: coredns-restrict-ingress
  namespace: kube-system
spec:
  podSelector:
    matchLabels:
      k8s-app: kube-dns
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector: {}
      ports:
        - protocol: UDP
          port: 53
        - protocol: TCP
          port: 53

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.