CVE-2025-62408 – A denial-of-service vulnerability in c-ares res... (How to Fix)

Q: What is the severity of CVE-2025-62408?

CVE-2025-62408 has a CVSS score of 5.9 (MEDIUM). A denial-of-service vulnerability in c-ares resolver library versions 1.32.3 through 1.34.5 causes queries to terminate after maximum attempts when using read_answer() and process_answer() functions. This affects any application or system using vulnerable versions of the c-ares library for DNS resolution.

📋 TL;DR

A denial-of-service vulnerability in c-ares resolver library versions 1.32.3 through 1.34.5 causes queries to terminate after maximum attempts when using read_answer() and process_answer() functions. This affects any application or system using vulnerable versions of the c-ares library for DNS resolution.

💻 Affected Systems

Products:

c-ares library
Applications linking against c-ares

Versions: 1.32.3 through 1.34.5

Operating Systems: Linux, Windows, macOS, BSD, Other Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using c-ares for DNS resolution with the affected functions is vulnerable regardless of configuration.

📦 What is this software?

C Ares by C Ares

View all CVEs affecting C Ares →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption for applications relying on DNS resolution, potentially causing cascading failures in dependent services.

🟠

Likely Case

Intermittent DNS resolution failures leading to application timeouts, degraded performance, or partial service unavailability.

🟢

If Mitigated

Minimal impact with proper monitoring and failover mechanisms in place, though resolution delays may still occur.

🌐 Internet-Facing: MEDIUM - Internet-facing services using c-ares for DNS resolution could experience availability issues if targeted.

🏢 Internal Only: LOW - Internal systems are less likely to be targeted but could still experience issues from misconfigured or malicious internal DNS responses.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires ability to influence DNS responses to trigger the termination condition, which could be achieved through DNS poisoning or controlling upstream DNS servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.34.6

Vendor Advisory: https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5

Restart Required: Yes

Instructions:

1. Update c-ares to version 1.34.6 or later. 2. Recompile any applications statically linked against c-ares. 3. Restart services using the library.

🔧 Temporary Workarounds

DNS Response Validation

all

Implement additional validation of DNS responses at application level to filter potentially malicious responses.

DNS Server Hardening

all

Secure upstream DNS servers to prevent response manipulation.

🧯 If You Can't Patch

Implement DNS query timeouts and retry logic at application level
Use alternative DNS resolution methods or libraries temporarily

🔍 How to Verify

Check if Vulnerable:

Check c-ares version with: pkg-config --modversion c-ares or check library version in application dependencies.

Check Version:

pkg-config --modversion c-ares

Verify Fix Applied:

Verify c-ares version is 1.34.6 or higher after update.

📡 Detection & Monitoring

Log Indicators:

Increased DNS query timeouts
Application errors related to DNS resolution failures
Unusual termination of DNS resolution processes

Network Indicators:

Abnormal DNS response patterns
Repeated DNS queries to same domains

SIEM Query:

source="application_logs" AND ("DNS timeout" OR "resolution failed" OR "c-ares error")

📊 Metadata

CVE ID: CVE-2025-62408

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: December 8, 2025

Last Updated: February 2, 2026

🔗 References

https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618 Patch
https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62408, you might also want to check these: