CoreDNS

A high-severity security vulnerability, CVE-2025-47950, has been discovered in CoreDNS, allowing remote attackers to exhaust server memory through DNS-over-QUIC (DoQ) stream amplification attacks. This can cause complete service outages in containerized environments, particularly in Kubernetes clusters. The vulnerability resides in the server_quic.go implementation, where unlimited goroutines are created for incoming QUIC streams without concurrency controls. Attackers can exploit this by opening numerous concurrent streams, leading to Out Of Memory (OOM) conditions. The flaw specifically targets deployments with the quic:// protocol enabled, posing a significant threat to organizations using DNS-over-QUIC for enhanced privacy and performance.

Source: https://cybersecuritynews.com/coredns-vulnerability-exhaust-server-memory/

TPRM report: https://scoringcyber.rankiteo.com/company/learnk8s

"id": "lea604061125",
"linkid": "learnk8s",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Cloud-native DNS server',
                        'name': 'CoreDNS',
                        'type': 'Software'}],
 'attack_vector': 'DNS-over-QUIC stream amplification attacks',
 'description': 'A high-severity security vulnerability in CoreDNS allows '
                'remote attackers to exhaust server memory through '
                'DNS-over-QUIC (DoQ) stream amplification attacks, potentially '
                'causing complete service outages in containerized '
                'environments.',
 'impact': {'downtime': 'Complete service outages',
            'systems_affected': 'CoreDNS servers with quic:// protocol '
                                'enabled'},
 'initial_access_broker': {'entry_point': 'QUIC protocol',
                           'high_value_targets': 'Organizations with quic:// '
                                                 'enabled in Corefile '
                                                 'configuration'},
 'motivation': 'Service disruption',
 'post_incident_analysis': {'corrective_actions': ['Implement max_streams and '
                                                   'worker_pool_size '
                                                   'parameters'],
                            'root_causes': 'Unlimited number of goroutines for '
                                           'incoming QUIC streams without '
                                           'concurrency controls'},
 'recommendations': ['Upgrade to CoreDNS version 1.12.2',
                     'Implement temporary workarounds for immediate '
                     'protection'],
 'response': {'containment_measures': ['Disable QUIC support',
                                       'Implement container runtime resource '
                                       'limits',
                                       'Establish monitoring systems for QUIC '
                                       'connection anomalies'],
              'enhanced_monitoring': 'Monitoring systems for QUIC connection '
                                     'anomalies',
              'remediation_measures': ['Upgrade to CoreDNS version 1.12.2',
                                       'Use max_streams and worker_pool_size '
                                       'parameters']},
 'title': 'CoreDNS DNS-over-QUIC Vulnerability (CVE-2025-47950)',
 'type': 'Vulnerability',
 'vulnerability_exploited': 'CVE-2025-47950'}