Azure Linux 3.0 Security Update: coredns (CVE-2025-47950)

🗓️ 11 Jul 2025 00:00:00Reported by TenableType

CoreDNS in Azure Linux 3.0 before version 1.12.2 is vulnerable to DoS attack (CVE-2025-47950).

Reporter	Title	Published	Views	Family All 51
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps	30 Jul 202517:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Storage Protect Server is susceptible to a vulnerability due to Golang coredns library	5 Dec 202512:47	–	ibm
AlpineLinux	CVE-2025-47950	6 Jun 202518:15	–	alpinelinux
AlpineLinux	CVE-2025-68151	8 Jan 202615:33	–	alpinelinux
BDU FSTEC	The vulnerability of the QUIC protocol and CoreDNS server implementation allows a attacker to cause a service failure.	9 Jun 202500:00	–	bdu_fstec
CBLMariner	CVE-2025-47950 affecting package coredns for versions less than 1.11.4-7	10 Jul 202515:09	–	cbl_mariner
CBLMariner	CVE-2025-47950 affecting package coredns for versions less than 1.11.1-19	10 Jul 202515:07	–	cbl_mariner
Chainguard	CVE-2025-47950 vulnerabilities	10 Jun 202513:20	–	cgr
Circl	CVE-2025-47950	11 Jun 202512:17	–	circl
CNNVD	CoreDNS 安全漏洞	6 Jun 202500:00	–	cnnvd

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-47950
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(241912);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/15");

  script_cve_id("CVE-2025-47950");

  script_name(english:"Azure Linux 3.0 Security Update: coredns (CVE-2025-47950)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Azure Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of coredns installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore,
affected by a vulnerability as referenced in the CVE-2025-47950 advisory.

  - CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS)
    vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously
    created a new goroutine for every incoming QUIC stream without imposing any limits on the number of
    concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams,
    leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash 
    especially in containerized or memory-constrained environments. The patch in version 1.12.2 introduces two
    key mitigation mechanisms: `max_streams`, which caps the number of concurrent QUIC streams per connection
    with a default value of `256`; and `worker_pool_size`, which Introduces a server-wide, bounded worker pool
    to process incoming streams with a default value of `1024`. This eliminates the 1:1 stream-to-goroutine
    model and ensures that CoreDNS remains resilient under high concurrency. Some workarounds are available
    for those who are unable to upgrade. Disable QUIC support by removing or commenting out the `quic://`
    block in the Corefile, use container runtime resource limits to detect and isolate excessive memory usage,
    and/or monitor QUIC connection patterns and alert on anomalies. (CVE-2025-47950)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2025-47950");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-47950");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/07/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:coredns");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:azure_linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Azure Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AzureLinux/release", "Host/AzureLinux/rpm-list", "Host/cpu");

  exit(0);
}
include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/AzureLinux/release');
if (isnull(release) || 'Azure Linux' >!< release) audit(AUDIT_OS_NOT, 'Azure Linux');
var os_ver = pregmatch(pattern: "Azure Linux ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Azure Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Azure Linux 3.0', 'Azure Linux ' + os_ver);

if (!get_kb_item('Host/AzureLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
  audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Azure Linux', cpu);

var pkgs = [
    {'reference':'coredns-1.11.4-7.azl3', 'cpu':'aarch64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'coredns-1.11.4-7.azl3', 'cpu':'x86_64', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'Azure Linux ' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'coredns');
}

15 Sep 2025 00:00Current

7.8High risk

Vulners AI Score7.8

CVSS 3.17.5

EPSS0.00151

SSVC