dnsdist: critical buffer overflow (double-free) in PowerDNS DNSdist DoH provider (CVE-2025-30194) #shorts
Summary
CVE-2025-30194 is a critical denial-of-service vulnerability in PowerDNS DNSdist versions 1.9.0 through 1.9.8, triggered via malformed DNS over HTTPS (DoH) traffic. A double-free in the nghttp2 provider causes DNSdist to crash. Fedora 41 and 42 have released updates to version 1.9.9 to resolve the issue.
Product details
DNSdist is a high-performance DNS load balancer and proxy by PowerDNS, often deployed to handle DNS over HTTPS (DoH). Affected versions: semver 1.9.0 through 1.9.8. Patched version: 1.9.9. Fedora 41 shipped the 1.9.9 DoS patch, and Fedora 42 updated dnsdist to 1.9.9.
Vulnerability type summary
This is a User-After-Free (CWE-416) memory corruption that leads to a double-free. When exploited, it results in an illegal memory access and immediate process crash, causing a denial of service.
Details of the vulnerability
When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can send specially crafted HTTP/2 frames that free internal data structures twice. The double-free corrupts memory, triggering a crash. Exploitation requires only network access to the DoH endpoint—no authentication or special permissions are needed. The crash disrupts DNS resolution services, posing availability risks in production environments.
Conclusion
Upgrade DNSdist to version 1.9.9 immediately to eliminate the double-free vulnerability. As a temporary workaround, switch your DoH provider to h2o until you can apply the patch. Thanks to Charles Howes for reporting. Administrators running DNSdist 1.9.x should verify they’re on 1.9.9 or later, and apply OS vendor updates (Fedora 41/42) where available.
Watch the full video on YouTube: CVE-2025-30194
Remediation and exploitation details
This chain involves the following actors
- Attacker: Sends specially crafted DNS-over-HTTPS requests to trigger the flaw
- Administrator: Operates and updates DNSdist instances
- Charles Howes: Reported the vulnerability
This following systems are involved
- PowerDNS DNSdist (Balances and filters DNS traffic, including DNS-over-HTTPS): Processes incoming DoH requests via a provider module
- nghttp2 DoH provider (Handles DoH over HTTP/2 connections): Parses HTTP/2 frames and manages memory buffers
- h2o DoH provider (Alternative DoH handler using a different HTTP library): Temporary workaround until the patch is applied
Attack entry point
- DoH endpoint: The HTTP/2 port where DNS-over-HTTPS queries arrive
Remediation actions
Exploitation actions
Craft nonstandard frame sequences
- Send a SETTINGS frame declaring an excessive MAX_FRAME_SIZE
- Follow with HEADERS frames referencing that size
Exploit flawed memory management logic
- Use overlapping DATA frame segments
- Trigger the provider to call free() on the same buffer twice
Double-free leading to illegal memory access
- Buffer pointer is deallocated, then deallocated again on the next frame
Denial of service
- Service stops responding to all DNS queries
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html
- [2025-04-29] A critical buffer overflow vulnerability in PowerDNS DNSdist up to 1.9.8 has been identified, exploitable via network attacks.
- [2025-05-15] Fedora 41 releases a critical DoS patch for dnsdist 1.9.9 to address CVE-2025-30194.
- [2025-05-15] Fedora 42 updates dnsdist to version 1.9.9 to resolve a critical DoS issue and fix CVE-2025-30194.