CVE-2025-68151 Overview
CVE-2025-68151 affects CoreDNS, a plugin-chained DNS server widely deployed in Kubernetes clusters and cloud-native environments. Versions prior to 1.14.0 lack resource-limiting controls in the gRPC, HTTPS, and HTTP/3 server implementations. An unauthenticated remote attacker can open many concurrent connections, create excessive streams, or send oversized request bodies to exhaust server memory. The condition degrades or crashes the CoreDNS process, disrupting name resolution for dependent services. The flaw is classified under [CWE-770] (Allocation of Resources Without Limits or Throttling) and resembles CVE-2025-47950, which affected the QUIC server path. Version 1.14.0 contains the patch.
Critical Impact
Unauthenticated attackers can crash CoreDNS instances over the network, disrupting DNS resolution across entire Kubernetes clusters and dependent workloads.
Affected Products
- CoreDNS versions prior to 1.14.0
- CoreDNS gRPC server implementation
- CoreDNS HTTPS and HTTP/3 server implementations
Discovery Timeline
- 2026-01-08 - CVE-2025-68151 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-68151
Vulnerability Analysis
The vulnerability stems from missing connection, stream, and message size limits across three CoreDNS server transports. The gRPC, HTTPS, and HTTP/3 listeners accept client requests without enforcing upper bounds on concurrent connections per client, streams per connection, or request body sizes. An attacker can repeatedly establish sessions and submit large payloads, forcing the Go runtime to allocate memory that is never released until process termination.
This is a denial-of-service condition with no impact on confidentiality or integrity. The attack requires only network reachability to the affected server endpoint. CoreDNS deployments exposing alternative transports such as DNS over HTTPS (DoH) or gRPC to untrusted networks are most exposed. The EPSS score is 0.213%.
Root Cause
The CoreDNS server modules for gRPC, HTTPS, and HTTP/3 did not configure server-side limits such as MaxConcurrentStreams, maximum read body size, or per-connection rate controls. Go HTTP and gRPC servers default to permissive values that allow clients to consume unbounded resources. The patch in pull request #7490 introduces explicit limits across these listeners.
Attack Vector
An unauthenticated remote attacker connects to a CoreDNS server exposing gRPC, HTTPS, or HTTP/3 transports. The attacker opens many concurrent connections or streams, or sends oversized request bodies. Each request causes memory allocation inside the CoreDNS process. As allocations accumulate, the server becomes unresponsive or terminates due to out-of-memory conditions. The attack does not require valid DNS queries or any prior authentication. Refer to the GitHub Security Advisory GHSA-527x-5wrf-22m2 for additional technical detail.
Detection Methods for CVE-2025-68151
Indicators of Compromise
- Sudden spikes in CoreDNS process memory consumption without a corresponding increase in legitimate query volume
- Repeated CoreDNS pod restarts or out-of-memory (OOM) kill events in Kubernetes clusters
- High volumes of concurrent connections to CoreDNS gRPC, HTTPS, or HTTP/3 listener ports from a small number of source addresses
- Abnormally large request bodies received on DoH or gRPC endpoints
Detection Strategies
- Monitor CoreDNS process metrics including resident memory, goroutine count, and active connections via the Prometheus /metrics endpoint
- Inspect network flow telemetry for sustained connection rates against CoreDNS alternative transports from single sources
- Correlate container restart events in Kubernetes with DNS resolution failures across workloads
Monitoring Recommendations
- Alert on CoreDNS memory usage exceeding established baseline thresholds
- Track coredns_dns_requests_total against coredns_panics_total and pod restart counters
- Log and review source IP addresses initiating large numbers of gRPC or HTTPS connections to CoreDNS
How to Mitigate CVE-2025-68151
Immediate Actions Required
- Upgrade CoreDNS to version 1.14.0 or later across all clusters and standalone deployments
- Restrict network exposure of CoreDNS gRPC, HTTPS, and HTTP/3 listeners to trusted client ranges only
- Apply NetworkPolicy rules in Kubernetes to limit pod ingress to CoreDNS to authorized namespaces
- Configure resource limits on CoreDNS pods to contain memory exhaustion blast radius
Patch Information
The fix is available in CoreDNS 1.14.0. The relevant change is committed at GitHub commit 0d8cbb1 and discussed in pull request #7490. The patch enforces connection limits, stream limits, and message size constraints across the gRPC, HTTPS, and HTTP/3 server paths.
Workarounds
- Disable unused CoreDNS server transports by removing grpc, tls, or HTTP/3 directives from the Corefile if not required
- Place a reverse proxy or service mesh sidecar in front of CoreDNS to enforce connection and rate limits upstream
- Apply firewall or cloud security group rules to limit inbound connections to CoreDNS service ports
- Set strict pod memory limits and restartPolicy to recover from OOM conditions while patching is scheduled
# Example: restrict CoreDNS ingress with a Kubernetes NetworkPolicy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: coredns-restrict-ingress
namespace: kube-system
spec:
podSelector:
matchLabels:
k8s-app: kube-dns
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

