Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-47950
CVE-2025-47950:
Wolfi vulnerability analysis and mitigation
Overview
CoreDNS, a DNS server that chains plugins, was found to contain a Denial of Service (DoS) vulnerability (CVE-2025-47950) in its DNS-over-QUIC (DoQ) server implementation in versions prior to 1.12.2. The vulnerability was discovered and disclosed on June 6, 2025. The issue stems from the server creating a new goroutine for every incoming QUIC stream without imposing any limits on concurrent streams or goroutines (GitHub Advisory).
Technical details
The vulnerability exists in the CoreDNS DNS-over-QUIC server implementation where the server previously created an unbounded 1:1 mapping between QUIC streams and goroutines. This design allowed a remote, unauthenticated attacker to open a large number of streams, leading to uncontrolled memory consumption. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible attack requiring no privileges or user interaction (NVD, GitHub Advisory).
Impact
The vulnerability can lead to Out Of Memory (OOM) crashes, particularly impacting containerized or memory-constrained environments. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU resources. This affects all deployments with quic:// enabled in the Corefile (GitHub Advisory).
Mitigation and workarounds
The vulnerability was patched in version 1.12.2 with two key mitigation mechanisms: 'maxstreams' which caps concurrent QUIC streams per connection at 256 by default, and 'workerpool_size' which introduces a server-wide bounded worker pool of 1024 workers. For users unable to upgrade immediately, workarounds include disabling QUIC support by removing the quic:// block in the Corefile, using container runtime resource limits, and monitoring QUIC connection patterns (GitHub Advisory).
Community reactions
Red Hat has assessed the vulnerability with a modified CVSS score of 5.3, noting that on Red Hat systems, a denial of service to the CoreDNS service will not take down the host system, resulting in a lower availability impact assessment (Red Hat).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management