CVE-2025-30193

Summary

In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service.

The remedy is: upgrade to the patched 1.9.10 version.

A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting.

We would like to thank Renaud Allard for bringing this issue to our attention.

Affected Software

VendorProductVersion RangeStatus
PowerDNSDNSdist1.9.10unaffected

Weaknesses

  • CWE-674: CWE-674 Uncontrolled Recursion

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References