CoreDNS Vulnerability Allows Attackers to Exhaust Server Memory via Amplification Attack
A high-severity vulnerability (CVE-2025-47950) in CoreDNS’s DNS-over-QUIC (DoQ) implementation enables remote attackers to crash DNS servers through stream amplification attacks.
Patched in v1.21.2, this flaw highlights risks in modern protocol adoption for cloud-native systems
Goroutine Proliferation in DoQ Implementation
The vulnerability stems from CoreDNS’s handling of QUIC streams in its server_quic.go component.
For every incoming QUIC stream, the server spawned a new goroutine without concurrency limits, creating a 1:1 stream-to-goroutine mapping.
This design allowed attackers to:
- Open unlimited streams via single/multiple QUIC connections
- Trigger OOM crashes in memory-constrained environments (common in Kubernetes/container setups)
- Bypass authentication using standard DNS-over-QUIC handshakes
go// Vulnerable pre-1.21.2 code snippet from server_quic.go
func (s *Server) handleStream(stream quic.Stream) {
go s.processStream(stream) // Uncontrolled goroutine creation
}
The attack requires minimal bandwidth (~1 MB/s for 10k streams) and no privileges, earning a CVSSv3 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Mitigation Strategies: Concurrent Stream Throttling
The patch introduces two concurrency controls via new Corefile directives:
| Parameter | Default | Function |
|---|---|---|
max_streams |
256 | Limits streams per QUIC connection |
worker_pool_size |
1024 | Sets global worker pool for stream processing |
bashquic {
max_streams 256 # Prevents single-connection attacks
worker_pool_size 1024 # Global stream processing cap
}
For unpatched systems, administrators can:
- Disable DoQ by removing
quic://from Corefile - Implement Kubernetes
resources.limitsfor memory/cpu - Monitor QUIC traffic for abnormal stream counts (>500/sec)
Cloud DNS Infrastructure Exposure
| Risk Factor | Severity Level | Details |
|---|---|---|
| Attack Surface | Critical | 78% of Kubernetes clusters use CoreDNS |
| Exploit Effort | Low | Requires standard QUIC client tools |
| Impact | High | Cluster-wide DNS outage in 90 seconds |
| Patching Cadence | Moderate | 40% of enterprises update DNS >30 days |
Red Hat’s modified CVSS score (5.3) underestimates containerized environments where OOM kills cascade to pod rescheduling storms.
The vulnerability particularly threatens:
- Multi-tenant SaaS platforms using shared CoreDNS instances
- Edge computing nodes with limited RAM (e.g., <4GB)
- CI/CD pipelines relying on DNS-based service discovery
Security teams should prioritize upgrades using go get github.com/coredns/[email protected] and audit QUIC usage via:
bashkubectl get cm -n kube-system coredns -o yaml | grep "quic://"
This incident underscores the tension between adopting newer protocols (QUIC) and maintaining backward-compatible security models – a challenge likely to intensify as DoQ adoption grows 300% YoY.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
