CVE-2025-30194

EPSS 0.11%
Veröffentlicht 29.04.2025 11:25:47
Zuletzt bearbeitet 20.06.2025 16:15:28
Quelle security@open-xchange.com
Teams Watchlist Login
Unerledigt Login

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service.

The remedy is: upgrade to the patched 1.9.9 version.

A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version.

We would like to thank Charles Howes for bringing this issue to our attention.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerPowerDNS

≫

Produkt DNSdist

Default Statusunaffected

Version < 1.9.9

Version 1.9.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.294

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@open-xchange.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html

http://www.openwall.com/lists/oss-security/2025/04/29/1

https://www.vicarius.io/vsociety/posts/cve-2025-30194-detection-dnsdist-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2025-30194-mitigate-dnsdist-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-30194

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-30194

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-30194

EUVD