CVE-2025-31498

Name of the Vulnerable Software and Affected Versions c-ares versions 1.32.3 through 1.34.4 Node.js versions prior to 22.15.0

Description A use-after-free vulnerability exists in the read answers() function of c-ares, a library used for asynchronous DNS resolution. This occurs when process answer() may re-enqueue a query due to a DNS Cookie Failure or if the upstream server does not properly support EDNS, or potentially on TCP queries if the remote connection is closed immediately after a response. If an issue occurs while attempting to place the new transaction on the wire, the connection handle is closed, but read answers() still expects it to be available. A remote attacker could potentially exploit this by flooding the target with ICMP UNREACHABLE packets if they control the upstream nameserver, or a local attacker could manipulate system behavior to cause send() or write() to return a failure condition. This vulnerability is addressed in c-ares version 1.34.5.

Recommendations Update c-ares to version 1.34.5 or later. Update Node.js to version 22.15.0 or later.