CVE-2025-68151
Denial of Service in CoreDNS Servers via Resource Exhaustion
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | to 1.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68151 is a vulnerability in CoreDNS versions prior to 1.14.0 affecting its gRPC, HTTPS, and HTTP/3 server implementations. These servers lack critical resource-limiting controls such as limits on the number of concurrent connections, active streams, and message size validation. An unauthenticated remote attacker can exploit this by opening many concurrent connections or streams, or by sending oversized request bodies, which can exhaust server memory and cause it to degrade or crash. The gRPC server, for example, accepts arbitrarily large protobuf messages without validation, allowing memory exhaustion. This vulnerability enables denial-of-service (DoS) attacks against CoreDNS servers. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated remote attacker to perform denial-of-service (DoS) attacks on your CoreDNS server. By exploiting the lack of resource limits, the attacker can open many concurrent connections and streams or send oversized messages, leading to rapid memory exhaustion. This can degrade server performance or cause it to crash, resulting in service disruption and potential downtime for DNS services relying on CoreDNS. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high numbers of concurrent connections or streams to CoreDNS servers (gRPC, HTTPS, HTTP/3) and by checking for oversized DNS messages exceeding 64 KB. Network monitoring tools or logs can be used to identify spikes in concurrent connections or streams. Specific commands are not provided in the resources, but generally, you can use network monitoring commands like 'netstat' or 'ss' to check active connections, and inspect CoreDNS logs for errors related to oversized messages or connection limits being exceeded. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading CoreDNS to version 1.14.0 or later, which contains patches that introduce configurable resource limits on concurrent connections and streams for gRPC, HTTPS, and HTTP/3 servers. Additionally, configure the new plugins and parameters to enforce limits such as 'max_streams' and 'max_connections' to prevent resource exhaustion. These limits have secure defaults (e.g., 256 max streams per gRPC connection, 200 max concurrent connections) and reject oversized DNS messages. If upgrading immediately is not possible, consider restricting access to CoreDNS servers to trusted clients to reduce attack surface. [2, 3]