CVE-2024-25581 HIGH

CVE-2024-25581: Transfer requests received over DoH can lead to a denial of service in DNSdist

Vendor Powerdns
Product DNSdist
Weakness CWE-20 · Input validation
Published May 13, 2024
Last update February 13, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

Key dates

02Disclosure timeline

May 13, 2024 CVE published
February 13, 2025 Record updated