CVE-2025-68151 — Allocation of Resources Without Limits or Throttling in Coredns Coredns

CWE-770 — Allocation of Resources Without Limits or Throttling6 documents5 sources

Severity

6.6MEDIUMNVD

GHSA7.5OSV7.5

EPSS

0.1%

top 65.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Coredns Coredns Coredns.io Coredns

Timeline

PublishedJan 8

Latest updateJan 12

Description

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDcoredns.io/coredns< 1.14.0

▶Gogithub.com/coredns_coredns< 1.14.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages in github.com/coredns/coredns↗2026-01-12

▶

OSV

CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages↗2026-01-08

▶

GHSA

CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages↗2026-01-08

▶

📋Vendor Advisories

Red Hat

github.com/coredns/coredns/core/dnsserver: CoreDNS DoS via unbounded connections and oversized messages↗2026-01-08

▶

🕵️Threat Intelligence

Wiz

CVE-2025-68151 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶