Denial of Service Vulnerability in CoreDNS by a Leading DNS Solution Provider
CVE-2025-68151

6.6MEDIUM

Key Information:

Vendor

Coredns

Status
Coredns
Vendor
CVE Published:
8 January 2026

What is CVE-2025-68151?

CoreDNS, a DNS server featuring plugin chaining, is susceptible to a denial of service vulnerability found in multiple server implementations such as gRPC, HTTPS, and HTTP/3, prior to version 1.14.0. This vulnerability allows an unauthenticated remote attacker to exploit the absence of resource-limiting controls, leading to memory exhaustion and potential server crashes. Attackers can leverage this flaw by establishing numerous concurrent connections, sending oversized request bodies, or streaming excessive data. The issue is reminiscent of similar vulnerabilities, but it affects additional server types lacking enforced limits. A patch has been introduced in version 1.14.0 to mitigate this risk.

Affected Version(s)

coredns < 1.14.0

References

https://github.com/coredns/coredns/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/coredns/coredns/pull/7490
x_refsource_MISC
https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.