Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

DNSdist

Source -

CNA

CNA CVEs -

3

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
3Vulnerabilities found
CVE-2025-30193
Assigner-Open-Xchange
ShareView Details
Assigner-Open-Xchange
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.20%
||
7 Day CHG~0.00%
Published-20 May, 2025 | 11:17
Updated-21 May, 2025 | 20:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service via crafted TCP exchange

In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value, like 50, via the setMaxTCPQueriesPerConnection setting. We would like to thank Renaud Allard for bringing this issue to our attention.

Action-Not Available
Vendor-PowerDNS
Product-DNSdist
CWE ID-CWE-674
Uncontrolled Recursion
CVE-2025-30194
Assigner-Open-Xchange
ShareView Details
Assigner-Open-Xchange
CVSS Score-7.5||HIGH
EPSS-0.07% / 20.60%
||
7 Day CHG~0.00%
Published-29 Apr, 2025 | 11:25
Updated-20 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service via crafted DoH exchange

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention.

Action-Not Available
Vendor-PowerDNS
Product-DNSdist
CWE ID-CWE-416
Use After Free
CVE-2024-25581
Assigner-Open-Xchange
ShareView Details
Assigner-Open-Xchange
CVSS Score-7.5||HIGH
EPSS-0.01% / 1.67%
||
7 Day CHG~0.00%
Published-13 May, 2024 | 11:49
Updated-13 Feb, 2025 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Transfer requests received over DoH can lead to a denial of service in DNSdist

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

Action-Not Available
Vendor-PowerDNSpowerdns
Product-DNSdistdnsdist
CWE ID-CWE-20
Improper Input Validation