Coredns.Io Coredns vulnerabilities
6 known vulnerabilities affecting coredns.io/coredns.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-26018HIGHCVSS 7.5fixed in 1.14.22026-03-06
CVE-2026-26018 [HIGH] CWE-337 CVE-2026-26018: CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerabil
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerability exists in CoreDNS's loop detection plugin that allows an attacker to crash the DNS server by sending specially crafted DNS queries. The vulnerability stems from the use of a predictable pseudo-random number generator (PRNG) for generating a secret q
nvd
CVE-2026-26017MEDIUMCVSS 6.3fixed in 1.14.22026-03-06
CVE-2026-26017 [MEDIUM] CWE-367 CVE-2026-26017: CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in Cor
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in
nvd
CVE-2025-68151MEDIUMCVSS 6.6fixed in 1.14.02026-01-08
CVE-2025-68151 [MEDIUM] CVE-2025-68151: CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implem
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue
nvd
CVE-2025-47950HIGHCVSS 7.5fixed in 1.12.22025-06-06
CVE-2025-47950 [HIGH] CWE-770 CVE-2025-47950: CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS)
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthent
nvd
CVE-2023-30464HIGHCVSS 7.5≤ 1.10.12024-09-18
CVE-2023-30464 [HIGH] CWE-290 CVE-2023-30464: CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses vi
CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.
nvd
CVE-2023-28452HIGHCVSS 7.5≤ 1.10.12024-09-18
CVE-2023-28452 [HIGH] CWE-290 CVE-2023-28452: An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving softwar
An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correc
nvd