Denial of Service Vulnerability in DNSdist by PowerDNS
CVE-2025-30194

7.5HIGH

Key Information:

Vendor
Powerdns
Status
Dnsdist
Vendor
CVE Published:
29 April 2025

What is CVE-2025-30194?

CVE-2025-30194 is a denial of service vulnerability that affects DNSdist, a DNS proxy and load balancer developed by PowerDNS. This product is intended to enhance DNS performance and security by managing DNS queries. The vulnerability arises when DNSdist is configured to support DNS over HTTPS (DoH) through the nghttp2 provider. An attacker can exploit this vulnerability by sending a specially crafted DoH request that triggers a double-free memory error, ultimately causing DNSdist to crash. For organizations relying on DNSdist to maintain their DNS services, this vulnerability poses a significant risk, as it can lead to service interruptions and hinder operational capabilities.

Technical Details

The vulnerability occurs specifically when DNSdist is operating with the nghttp2 provider for DNS over HTTPS. By manipulating the DoH exchange, attackers can trigger an illegal memory access, resulting in a crash of the DNSdist service. This double-free error relates to improper handling of memory allocations, which can destabilize the server and disrupt service continuity. As a result, any services dependent on DNS resolution through DNSdist can be rendered unavailable during an attack.

Potential Impact of CVE-2025-30194

  1. Service Disruption: The primary impact of this vulnerability is a denial of service, which can lead to significant downtime for organizations relying on DNSdist for their DNS queries. This could impede access to internal and external resources.

  2. Operational Risks: Extended service outages can force organizations to divert resources to mitigate the effects of the attack, detracting from other critical operations and potentially leading to financial losses.

  3. Increased Vulnerability to Further Attacks: While this denial of service attack might seem contained, the resulting chaos and disruption can open the door for other types of attacks, as security posture may be compromised during the incident response efforts.

Affected Version(s)

DNSdist 1.9.0 < 1.9.9

References

https://dnsdist.org/security-advisories/powerdns-advisory...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Charles Howes
.