CVE-2025-24294 – resolv

Package

Manager: gem
Name: resolv
Vulnerable Version: >=0 <0.2.3 || >=0.4.0 <0.6.2 || >=0.3.0 <0.3.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00022 pctl0.04125

Details

resolv vulnerable to DoS via insufficient DNS domain name length validation A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby. ## Details The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. ## Affected Version The vulnerability affects the resolv gem bundled with the following Ruby series: * Ruby 3.2 series: resolv version 0.2.2 and earlier * Ruby 3.3 series: resolv version 0.3.0 * Ruby 3.4 series: resolv version 0.6.1 and earlier ## Credits Thanks to Manu for discovering this issue. ## History Originally published at 2025-07-08 07:00:00 (UTC)

Metadata

Created: 2025-07-15T14:37:08Z
Modified: 2025-07-15T22:56:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xh69-987w-hrp8/GHSA-xh69-987w-hrp8.json
CWE IDs: ["CWE-1284", "CWE-400"]
Alternative ID: GHSA-xh69-987w-hrp8
Finding: F211
Auto approve: 1