CVE-2025-30187

low-risk

Published 2025-09-18

In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 3.7/10 Low

NETWORK / HIGH complexity

References (2)

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-0...

http://www.openwall.com/lists/oss-security/2025/09/18/1

/ 100

low-risk

Severity 13/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal