FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dnsdist -- Denial of service via crafted DoH exchange

Affected packages
dnsdist < 1.9.11
2.0.0 <= dnsdist < 2.0.1

Details

VuXML ID c2253bff-9952-11f0-b6e2-6805ca2fa271
Discovery 2025-09-18
Entry 2025-09-24
Modified 2025-09-26

security@open-xchange.com reports:

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected.

[source]

References

CVE Name CVE-2025-30187
URL https://nvd.nist.gov/vuln/detail/CVE-2025-30187

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.