|
| 1 | +--- |
| 2 | +gem: resolv |
| 3 | +cve: 2025-24294 |
| 4 | +url: https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294 |
| 5 | +title: Possible Denial of Service in resolv gem |
| 6 | +date: 2025-07-09 |
| 7 | +description: | |
| 8 | + A denial of service vulnerability has been discovered in the |
| 9 | + resolv gem bundled with Ruby. |
| 10 | + This vulnerability has been assigned the CVE identifier |
| 11 | + CVE-2025-24294. We recommend upgrading the resolv gem. |
| 12 | +
|
| 13 | + ## Details |
| 14 | + The vulnerability is caused by an insufficient check on the |
| 15 | + length of a decompressed domain name within a DNS packet. |
| 16 | +
|
| 17 | + An attacker can craft a malicious DNS packet containing a highly |
| 18 | + compressed domain name. When the resolv library parses such a |
| 19 | + packet, the name decompression process consumes a large amount |
| 20 | + of CPU resources, as the library does not limit the resulting |
| 21 | + length of the name. |
| 22 | +
|
| 23 | + This resource consumption can cause the application thread to |
| 24 | + become unresponsive, resulting in a Denial of Service condition. |
| 25 | +
|
| 26 | + ## Affected Version |
| 27 | + The vulnerability affects the resolv gem bundled with the |
| 28 | + following Ruby series: |
| 29 | + * Ruby 3.2 series: resolv version 0.2.2 and earlier |
| 30 | + * Ruby 3.3 series: resolv version 0.3.0 |
| 31 | + * Ruby 3.4 series: resolv version 0.6.1 and earlier |
| 32 | +
|
| 33 | + ## Credits |
| 34 | + Thanks to Manu for discovering this issue. |
| 35 | +
|
| 36 | + ## History |
| 37 | + Originally published at 2025-07-08 07:00:00 (UTC) |
| 38 | +patched_versions: |
| 39 | + - "~> 0.2.2" |
| 40 | + - "~> 0.3.0" |
| 41 | + - ">= 0.6.1" |
| 42 | +related: |
| 43 | + url: |
| 44 | + - https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294 |
| 45 | + - https://rubygems.org/gems/resolv |
| 46 | + - https://www.cve.org/CVERecord?id=CVE-2025-24294 |
0 commit comments