CVE-2025-47950

Name of the Vulnerable Software and Affected Versions CoreDNS versions prior to 1.12.2 CoreDNS versions prior to 1.21.2

Description A Denial of Service (DoS) issue exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. The patch introduces two key mitigation mechanisms: max streams, which caps the number of concurrent QUIC streams per connection with a default value of 256; and worker pool size, which introduces a server-wide, bounded worker pool to process incoming streams with a default value of 1024.

Recommendations For versions prior to 1.12.2, update to version 1.12.2 or later. For versions prior to 1.21.2, update to version 1.21.2 or later. As a temporary workaround, consider disabling QUIC support by removing or commenting out the quic:// block in the Corefile. Use container runtime resource limits to detect and isolate excessive memory usage. Monitor QUIC connection patterns and alert on anomalies.