CVE-2025-24294 - Vulnerability Details

The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2025-24294
https://www.cve.org/CVERecord?id=CVE-2025-24294
https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/

History

Thu, 17 Jul 2025 00:15:00 +0000

Type	Values Removed	Values Added
Title		resolv: Denial of Service in resolv gem
References		https://nvd.nist.gov/vuln/detail/CVE-2025-24294 https://www.cve.org/CVERecord?id=CVE-2025-24294
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 16 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00018}`	epss `{'score': 0.00011}`

Tue, 15 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics		epss `{'score': 0.00018}`

Sat, 12 Jul 2025 03:45:00 +0000

Type	Values Removed	Values Added
Description		The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
References		https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2025-07-12T03:30:40.226Z

Updated: 2025-07-16T13:37:43.395Z

Reserved: 2025-01-17T01:00:07.458Z

Link: CVE-2025-24294

Vulnrichment

Updated: 2025-07-15T13:49:37.529Z

NVD

Status : Awaiting Analysis

Published: 2025-07-12T04:15:46.683

Modified: 2025-07-16T14:15:23.037

Link: CVE-2025-24294

Redhat

Severity : Moderate

Publid Date: 2025-07-12T03:30:40Z

Links: CVE-2025-24294 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object