CVE-2025-24294

The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.

This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

References

Affected packages

Debian:11 / ruby2.7

Package

Name: ruby2.7
Purl: pkg:deb/debian/ruby2.7?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.7.4-1

2.7.4-1+deb11u1

2.7.4-1+deb11u2

2.7.4-1+deb11u3

2.7.4-1+deb11u4

2.7.4-1+deb11u5

2.7.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby3.1

Package

Name: ruby3.1
Purl: pkg:deb/debian/ruby3.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-7

3.1.2-7+deb12u1

3.1.2-7+hurd.1

3.1.2-8

3.1.2-8.1~exp1

3.1.2-8.3

3.1.2-8.4

3.1.2-8.5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby3.3

Package

Name: ruby3.3
Purl: pkg:deb/debian/ruby3.3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.1-1

3.3.1-2

3.3.1-3

3.3.1-4

3.3.1-5

3.3.1-6

3.3.4-1

3.3.4-2

3.3.4-2+hurd.1

3.3.5-1

3.3.5-2

3.3.6-1

3.3.6-1.1

3.3.6-1.1+hurd.1

3.3.6-1.1+ports

3.3.6-1.1+x32

3.3.7-1

3.3.7-2

3.3.8-1

3.3.8-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}