GHSA-527x-5wrf-22m2

Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints.

Impact

1. Missing connection and stream limits (gRPC / HTTPS / HTTP3)

The affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can:

• Open many parallel connections
• Rapidly issue requests without limit
• Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer

Testing demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers to scale the impact.

2. Missing message-size validation in the gRPC server

The gRPC server accepts arbitrarily large protobuf messages (default limit ~4 MB per request) without validating against DNS protocol constraints (maximum 64 KB). Sending multiple concurrent oversized messages can quickly exhaust available memory.

This vulnerability mirrors earlier hardening work in PR https://github.com/coredns/coredns/pull/7490, which applied checks for upstream proxying but left server-side request validation unprotected.

Result:

In all cases, remote unauthenticated attackers can reliably trigger memory exhaustion and cause a denial of service.

Patches

v1.14.0