CVE-2025-30187 LOW

CVE-2025-30187: Denial of service via crafted DoH exchange in PowerDNS DNSdist

Vendor Powerdns

Product DNSdist

Weakness CWE-835

Published September 18, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources.

Key dates

02Disclosure timeline

September 18, 2025 CVE published

November 4, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-30187 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/835.html

Related vulnerabilities

Identifiers

CVE CVE-2025-30187

CWE CWE-835

CVSS 3.7 / LOW

Affected versions

Vendor Powerdns

Product DNSdist

Affected ≥ 1.9.0 and < 1.9.11

Vendor Powerdns

Product DNSdist

Affected ≥ 2.0.0 and < 2.0.1

CVE-2025-30187: Denial of service via crafted DoH exchange in PowerDNS DNSdist

01Description

02Disclosure timeline

03References

04Related CVE