CVE-2025-62408

low-risk

Published 2025-12-08

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

C-Ares

Affected Vendors

C-Ares

References (2)

Patch https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618

Patch https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal