.webp?w=1600&resize=1600,900&ssl=1)
PowerDNS has issued an emergency security advisory (2025-02) addressing a high-severity denial-of-service (DoS) vulnerability (CVE-2025-30194) in DNSdist, its DNS proxy and load-balancing software.
The flaw affects deployments using DNS over HTTPS (DoH) via the nghttp2 provider, enabling remote attackers to crash the service through crafted requests.
Patched version 1.9.9 is now available, with temporary mitigation via provider switching.
Technical Details
The vulnerability arises in DNSdist versions 1.9.0 to 1.9.8 configured for DoH using the nghttp2 library.
Attackers exploiting this flaw send malicious DoH exchanges, triggering a double-free memory access, leading to illegal memory operations and service crashes.
The issue does not permit remote code execution but disrupts DNS resolution entirely, impacting availability.
| CVSS v3.1 Metrics | Details |
|---|---|
| Base Score | 7.5 (High) |
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
| Impact | Availability: High (A:H) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Affected Versions and Mitigation
| Version Range | Status | Remediation |
|---|---|---|
| 1.9.0 – 1.9.8 | Vulnerable | Upgrade to 1.9.9 |
| <1.9.0 | Not Affected | N/A |
| 1.9.9 | Fixed | Available via PowerDNS repositories |
Workaround: Temporarily switch DNSdist’s DoH provider from nghttp2 to h2o using the configuration:
luaaddDOHLocal("0.0.0.0:443", "/dns-query", "cert.pem", "key.pem", { provider="h2o" })
This mitigates the risk until upgrades are completed.
Discovery and Response
Security researcher Charles Howes reported the issue via PowerDNS’ public GitHub tracker on April 25, 2025.
The maintainers classified it as a CWE-416 (Use After Free) vulnerability and released an emergency patch within four days.
Impact and Recommendations
Organizations using DNSdist for DoH traffic balancing must prioritize upgrading to 1.9.9 or applying the workaround.
DNSdist’s role as a frontline DNS load balancer makes it critical for maintaining service continuity, particularly in environments handling encrypted DNS queries.
PowerDNS confirms no evidence of active exploitation but emphasizes proactive patching due to the exploit’s low complexity.
This incident underscores the importance of robust memory management in high-performance DNS infrastructure and highlights the risks associated with emerging encryption protocols like DoH.
System administrators should monitor for similar vulnerabilities in overlapping libraries (e.g., nghttp2) and maintain strict update cycles for DNS infrastructure components.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
.webp?w=1200&resize=1200,0&ssl=1&description=The%20flaw%20affects%20deployments%20using%20DNS%20over%20HTTPS%20(DoH)%20via%20the%20nghttp2%20provider,%20enabling%20remote%20attackers%20to%20crash%20the%20service%20through%20crafted%20requests.){kind=link}