CVE-2025-24294Uncontrolled Resource Consumption in Resolv

CWE-400Uncontrolled Resource ConsumptionCWE-1284Improper Validation of Specified Quantity in Input11 documents7 sources
Severity
7.5HIGHNVD
OSV9.8OSV5.3
EPSS
0.1%
top 74.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Ruby ResolvRubygemsDebian Ruby2.7+5 more
Timeline
PublishedJul 12
Latest updateSep 3

Description

The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the applicatio

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

RubyGemsruby/resolv0.4.00.6.2+2
CVEListV5ruby/resolv0.20.2.2+2
Ubunturubygems/rubygems< 3.3.5-2ubuntu1.1

🔴Vulnerability Details

5
OSV
ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities2025-09-03
OSV
rubygems vulnerabilities2025-09-03
GHSA
resolv vulnerable to DoS via insufficient DNS domain name length validation2025-07-15
OSV
resolv vulnerable to DoS via insufficient DNS domain name length validation2025-07-15
OSV
CVE-2025-24294: The attack vector is a potential Denial of Service (DoS)2025-07-12

📋Vendor Advisories

5
Ubuntu
RubyGems vulnerabilities2025-09-03
Ubuntu
Ruby vulnerabilities2025-09-03
Red Hat
resolv: Denial of Service in resolv gem2025-07-12
Microsoft
CVE-2025-24294: FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One2025-07-08
Debian
CVE-2025-24294: ruby2.7 - The attack vector is a potential Denial of Service (DoS). The vulnerability is c...2025