Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-cvx7-x8pj-x2gw

HIGH

CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification

Also known asCVE-2025-47950GO-2025-3743
Published
Jun 6, 2025
Updated
Feb 4, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
1.1%probability of exploitation in next 30 days
Lower Risk62th percentile+0.98%
0.00%0.54%1.09%1.63%0.2%1.1%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/coredns/coredns

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.

Impact

  • Component: server_quic.go
  • Attack Vector: Remote, network-based
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Impact: High availability loss (OOM kill or unresponsiveness)

This issue affects deployments with quic:// enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU.

Patches

The patch introduces two key mitigation mechanisms:

  • max_streams: Caps the number of concurrent QUIC streams per connection. Default: 256.
  • worker_pool_size: Introduces a server-wide, bounded worker pool to process incoming streams. Default: 1024.

This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. The new configuration options are exposed through the quic Corefile block:

quic {
    max_streams 256
    worker_pool_size 1024
}

These defaults are generous and aligned with typical DNS-over-QUIC client behavior.

Workarounds

If you're unable to upgrade immediately, you can:

  • Disable QUIC support by removing or commenting out the quic:// block in your Corefile
  • Use container runtime resource limits to detect and isolate excessive memory usage
  • Monitor QUIC connection patterns and alert on anomalies

References

Credit

Thanks to @thevilledev for disclovering this vulnerability and contributing a high-quality fix.

For more information

Please consult our security guide for more information regarding our security process.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/coredns/corednsall versions1.12.2

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/coredns/coredns. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/coredns/coredns to 1.12.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-cvx7-x8pj-x2gw is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-cvx7-x8pj-x2gw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-cvx7-x8pj-x2gw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary A **Denial of Service (DoS)** vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. ### Impact - **Component**: `server_quic.go` - **Attack Vector**: Remote, netw
O3 Security · Impact-Aware SCA

Is GHSA-cvx7-x8pj-x2gw in your dependencies?

O3 detects GHSA-cvx7-x8pj-x2gw across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works