Moderate severityOSV Advisory· Published Jan 8, 2026· Updated Jan 8, 2026
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages
CVE-2025-68151
Description
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/coredns/corednsGo | < 1.14.0 | 1.14.0 |
Affected products
15- osv-coords14 versionspkg:apk/chainguard/cloudflaredpkg:apk/chainguard/cloudflared-fipspkg:apk/chainguard/eks-distro-coredns-1.31pkg:apk/chainguard/eks-distro-coredns-1.32pkg:apk/chainguard/eks-distro-coredns-1.33pkg:apk/chainguard/eks-distro-coredns-1.34pkg:apk/chainguard/eks-distro-coredns-1.35pkg:apk/chainguard/eks-distro-coredns-fips-1.31pkg:apk/chainguard/eks-distro-coredns-fips-1.32pkg:apk/chainguard/eks-distro-coredns-fips-1.33pkg:apk/chainguard/eks-distro-coredns-fips-1.35pkg:apk/wolfi/cloudflaredpkg:golang/github.com/coredns/corednspkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 2026.2.0-r0+ 13 more
- (no CPE)range: < 2026.2.0-r0
- (no CPE)range: < 2026.2.0-r0
- (no CPE)range: < 1.31.43-r2
- (no CPE)range: < 1.32.31-r1
- (no CPE)range: < 1.33.25-r1
- (no CPE)range: < 1.34.17-r2
- (no CPE)range: < 1.35.7-r1
- (no CPE)range: < 1.31.43-r2
- (no CPE)range: < 1.32.31-r1
- (no CPE)range: < 1.33.25-r1
- (no CPE)range: < 1.35.7-r1
- (no CPE)range: < 2026.2.0-r0
- (no CPE)range: < 1.14.0
- (no CPE)range: < 0.0.20260114T191543-150000.1.137.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-527x-5wrf-22m2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68151ghsaADVISORY
- github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812ghsax_refsource_MISCWEB
- github.com/coredns/coredns/pull/7490ghsax_refsource_MISCWEB
- github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.