CVE-2025-30193 – This vulnerability allows attackers to cause DN... (How to Fix)

Q: What is the severity of CVE-2025-30193?

CVE-2025-30193 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to cause DNSdist to crash by exploiting TCP connection handling, leading to denial of service. DNSdist instances configured to allow unlimited queries per TCP connection are affected. The attack requires network access to the DNSdist service.

📋 TL;DR

This vulnerability allows attackers to cause DNSdist to crash by exploiting TCP connection handling, leading to denial of service. DNSdist instances configured to allow unlimited queries per TCP connection are affected. The attack requires network access to the DNSdist service.

💻 Affected Systems

Products:

DNSdist

Versions: All versions before 1.9.10

Operating Systems: All platforms running DNSdist

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when configured with unlimited TCP queries per connection (setMaxTCPQueriesPerConnection=0)

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete DNS service outage affecting all DNS resolution for dependent systems, potentially disrupting critical network services.

🟠

Likely Case

Intermittent DNS service disruptions causing timeouts and failed lookups for clients.

🟢

If Mitigated

Minimal impact with proper query limits or patched versions, possibly some performance degradation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires crafting specific TCP exchanges but doesn't need authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.10

Vendor Advisory: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html

Restart Required: Yes

Instructions:

1. Download DNSdist 1.9.10 from official sources. 2. Stop DNSdist service. 3. Install/upgrade to version 1.9.10. 4. Restart DNSdist service.

🔧 Temporary Workarounds

Limit TCP queries per connection

all

Restrict maximum queries on incoming TCP connections to prevent stack exhaustion

setMaxTCPQueriesPerConnection(50)

🧯 If You Can't Patch

Implement the setMaxTCPQueriesPerConnection workaround with a safe value like 50
Implement network segmentation and firewall rules to restrict access to DNSdist TCP port

🔍 How to Verify

Check if Vulnerable:

Check DNSdist configuration for setMaxTCPQueriesPerConnection=0 and version < 1.9.10

Check Version:

dnsdist --version

Verify Fix Applied:

Verify DNSdist version is 1.9.10 or higher and setMaxTCPQueriesPerConnection is not set to 0

📡 Detection & Monitoring

Log Indicators:

DNSdist crash logs
Unexpected service restarts
Stack exhaustion errors

Network Indicators:

Unusual TCP connection patterns to DNSdist port
Multiple queries from single TCP connections

SIEM Query:

source="dnsdist" AND ("crash" OR "segmentation fault" OR "stack overflow")

📊 Metadata

CVE ID: CVE-2025-30193

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

EPSS Score: 0.07% exploit probability (20.7th percentile)

Published: May 20, 2025

Last Updated: May 21, 2025

🔗 References

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30193, you might also want to check these: