GHSA-xh69-987w-hrp8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xh69-987w-hrp8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xh69-987w-hrp8/GHSA-xh69-987w-hrp8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xh69-987w-hrp8
- Aliases
- Downstream
- Related
- Published
- 2025-07-15T14:37:08Z
- Modified
- 2025-07-15T23:03:33.652731Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- resolv vulnerable to DoS via insufficient DNS domain name length validation
- Details
-
A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.
Details
The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
Affected Version
The vulnerability affects the resolv gem bundled with the following Ruby series: * Ruby 3.2 series: resolv version 0.2.2 and earlier * Ruby 3.3 series: resolv version 0.3.0 * Ruby 3.4 series: resolv version 0.6.1 and earlier
Credits
Thanks to Manu for discovering this issue.
History
Originally published at 2025-07-08 07:00:00 (UTC)
- Database specific
{ "github_reviewed": true, "cwe_ids": [ "CWE-1284", "CWE-400" ], "severity": "MODERATE", "github_reviewed_at": "2025-07-15T14:37:08Z", "nvd_published_at": "2025-07-12T04:15:46Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-24294
- https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25
- https://github.com/ruby/resolv
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resolv/CVE-2025-24294.yml
- https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294
Affected packages
RubyGems / resolv
Package
- Name
- resolv
- Purl
- pkg:gem/resolv
RubyGems / resolv
Package
- Name
- resolv
- Purl
- pkg:gem/resolv
RubyGems / resolv
Package
- Name
- resolv
- Purl
- pkg:gem/resolv