CVE-2025-24294
Public on 2025-07-12
Modified on 2025-07-17
Description
The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | ruby | No Fix Planned | ||
| Amazon Linux 2 - Core | ruby | 2025-08-04 | ALAS2-2025-2957 | Fixed |
| Amazon Linux 1 | ruby18 | No Fix Planned | ||
| Amazon Linux 1 | ruby19 | No Fix Planned | ||
| Amazon Linux 1 | ruby20 | No Fix Planned | ||
| Amazon Linux 1 | ruby21 | No Fix Planned | ||
| Amazon Linux 1 | ruby22 | No Fix Planned | ||
| Amazon Linux 1 | ruby23 | No Fix Planned | ||
| Amazon Linux 1 | ruby24 | No Fix Planned | ||
| Amazon Linux 2023 | ruby3.2 | 2025-08-08 | ALAS2023-2025-1131 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |