CoreDNS Unauthenticated DoS Vulnerability in gRPC, HTTPS, and HTTP/3 Servers

A denial-of-service vulnerability has been identified in CoreDNS versions prior to 1.14.0, specifically within the gRPC, HTTPS, and HTTP/3 server implementations. These servers lack essential resource-limiting controls, allowing an unauthenticated remote attacker to exhaust memory and degrade or crash the server. Exploitation can be achieved by opening numerous concurrent connections or streams, or by sending oversized request bodies. This issue is akin to CVE-2025-47950, which affected QUIC servers, but here the absence of connection and stream limits, as well as message size constraints, is exploited on additional server types.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing the CoreDNS process to become unresponsive or to be terminated by the out-of-memory (OOM) killer. This denial-of-service effect can be achieved by opening many parallel connections, rapidly issuing requests without limit, or sending oversized messages that violate DNS protocol constraints.

Reproduction

The vulnerability can be reproduced by deploying a CoreDNS server version prior to 1.14.0 with the gRPC, HTTPS, or HTTP/3 plugins enabled. Once the server is running, an unauthenticated client can open multiple concurrent connections or streams, or send oversized request bodies, to exhaust the server's memory resources. This can be automated with a script or tool that manages concurrent connections and monitors the server's response.

Remediation

Users can upgrade to CoreDNS version 1.14.0 or later, where this vulnerability has been patched. Instructions for updating CoreDNS can be found in the CoreDNS documentation.