CVE-2025-31498: 
npm vulnerability analysis and mitigation

CVE-2025-31498 affects c-ares, an asynchronous resolver library, versions 1.32.3 through 1.34.4. The vulnerability is a use-after-free issue in the readanswers() function when processanswer() may re-enqueue a query due to DNS Cookie Failure, upstream server EDNS incompatibility, or TCP query connection closure. The vulnerability was discovered by Erik Lax and was patched in version 1.34.5 (GitHub Advisory).

The vulnerability occurs when a connection handle is closed due to transaction issues, but read_answers() continues to expect the handle to be available for dequeuing responses. This creates a use-after-free condition in the DNS resolution process. The issue has been assigned a CVSSv4 score of 8.3 (High), with attack vector being Network and attack complexity being High (GitHub Advisory, Security Online).

The vulnerability could potentially lead to system crashes or possible code execution. The impact metrics indicate Low impact on confidentiality and integrity, but High impact on availability of the vulnerable system. The vulnerability affects the core DNS resolution functionality, which could disrupt network operations for applications using the c-ares library (GitHub Advisory).

The vulnerability has been fixed in c-ares version 1.34.5. Users should upgrade to this version immediately. For those unable to upgrade immediately, there are no known workarounds. Specific patches are available for different versions: 1.34 patches, 1.33 patches, and 1.32 patches through the official repository (GitHub Advisory).