CVE-2025-68151
Unknown Unknown - Not Provided
Denial of Service in CoreDNS Servers via Resource Exhaustion

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68151
EUVD
EUVD-2026-1476
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coredns coredns to 1.14.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68151 is a vulnerability in CoreDNS versions prior to 1.14.0 affecting its gRPC, HTTPS, and HTTP/3 server implementations. These servers lack critical resource-limiting controls such as limits on the number of concurrent connections, active streams, and message size validation. An unauthenticated remote attacker can exploit this by opening many concurrent connections or streams, or by sending oversized request bodies, which can exhaust server memory and cause it to degrade or crash. The gRPC server, for example, accepts arbitrarily large protobuf messages without validation, allowing memory exhaustion. This vulnerability enables denial-of-service (DoS) attacks against CoreDNS servers. [1]

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated remote attacker to perform denial-of-service (DoS) attacks on your CoreDNS server. By exploiting the lack of resource limits, the attacker can open many concurrent connections and streams or send oversized messages, leading to rapid memory exhaustion. This can degrade server performance or cause it to crash, resulting in service disruption and potential downtime for DNS services relying on CoreDNS. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusually high numbers of concurrent connections or streams to CoreDNS servers (gRPC, HTTPS, HTTP/3) and by checking for oversized DNS messages exceeding 64 KB. Network monitoring tools or logs can be used to identify spikes in concurrent connections or streams. Specific commands are not provided in the resources, but generally, you can use network monitoring commands like 'netstat' or 'ss' to check active connections, and inspect CoreDNS logs for errors related to oversized messages or connection limits being exceeded. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading CoreDNS to version 1.14.0 or later, which contains patches that introduce configurable resource limits on concurrent connections and streams for gRPC, HTTPS, and HTTP/3 servers. Additionally, configure the new plugins and parameters to enforce limits such as 'max_streams' and 'max_connections' to prevent resource exhaustion. These limits have secure defaults (e.g., 256 max streams per gRPC connection, 200 max concurrent connections) and reject oversized DNS messages. If upgrading immediately is not possible, consider restricting access to CoreDNS servers to trusted clients to reduce attack surface. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68151. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart