Twisted DNS Module Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Twisted framework's DNS handling module, specifically in versions through 25.5.0. This issue arises from resource exhaustion during the decompression of DNS names. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted TCP DNS packet that includes deeply nested compression pointers. This exploitation bypasses existing loop-prevention mechanisms, causing the single-threaded Twisted reactor to become unresponsive while it processes millions of recursive lookups, effectively freezing the server.

Impact

Exploitation of this vulnerability causes the Twisted reactor's event loop to hang, blocking the server from handling new connections, processing I/O, or responding to existing requests. This behavior is characteristic of a denial-of-service condition, paralyzing the server for the duration of the DNS name decompression.

Reproduction

The vulnerability can be reproduced by sending a crafted TCP DNS packet to a server running an affected version of Twisted. The packet should contain a large number of compression pointers that reference each other in a way that creates a deep chain, bypassing the DNS decoder's loop-prevention logic. This can be done using a Python script that constructs such a packet and sends it to the server.

Remediation

Users are advised to update to Twisted version 26.4.0rc2 or later, where this vulnerability has been fixed.