CVE-2025-30194
📋 TL;DR
This vulnerability allows attackers to cause a denial of service in DNSdist by sending specially crafted DNS-over-HTTPS (DoH) requests that trigger a double-free memory corruption. This affects DNSdist servers configured to use the nghttp2 provider for DoH functionality. The crash results in service disruption until DNSdist is restarted.
💻 Affected Systems
- DNSdist
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage of DNSdist, disrupting DNS resolution for all clients until manual restart, potentially causing cascading failures in dependent services.
Likely Case
Intermittent DNSdist crashes causing temporary DNS resolution failures, requiring administrator intervention to restart the service.
If Mitigated
No impact if using h2o provider instead of nghttp2, or if DoH functionality is disabled entirely.
🎯 Exploit Status
Attack requires sending specially crafted DoH requests to vulnerable DNSdist instances. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.9
Vendor Advisory: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html
Restart Required: Yes
Instructions:
1. Download DNSdist 1.9.9 or later from official sources. 2. Stop DNSdist service. 3. Install the updated version. 4. Restart DNSdist service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Switch to h2o provider
allTemporarily switch DNSdist DoH configuration from nghttp2 provider to h2o provider
Edit DNSdist configuration to replace 'nghttp2' with 'h2o' in DoH provider settings
Restart DNSdist service
🧯 If You Can't Patch
- Disable DoH functionality entirely in DNSdist configuration
- Implement network filtering to block DoH traffic to vulnerable DNSdist instances
🔍 How to Verify
Check if Vulnerable:
Check DNSdist configuration for DoH using nghttp2 provider and version is below 1.9.9Check Version:
dnsdist --versionVerify Fix Applied:
Confirm DNSdist version is 1.9.9 or higher and service is running without crashes📡 Detection & Monitoring
Log Indicators:
- DNSdist crash logs
- Segmentation fault errors
- Service restart events
- Abnormal termination messages
Network Indicators:
- Spike in DoH requests to DNSdist
- DNS resolution failures following DoH traffic patterns
SIEM Query:
source="dnsdist" AND ("segmentation fault" OR "crash" OR "double-free" OR "abort")🔗 References
- https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html
- http://www.openwall.com/lists/oss-security/2025/04/29/1
- https://www.vicarius.io/vsociety/posts/cve-2025-30194-detection-dnsdist-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-30194-mitigate-dnsdist-vulnerability
