GHSA-xh69-987w-hrp8: resolv vulnerable to DoS via insufficient DNS domain name length validation

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-24294

resolv vulnerable to DoS via insufficient DNS domain name length validation

Moderate severity GitHub Reviewed Published Jul 15, 2025 to the GitHub Advisory Database • Updated Jul 15, 2025

Package

Affected versions

< 0.2.3

>= 0.4.0, < 0.6.2

>= 0.3.0, < 0.3.1

Patched versions

0.2.3

0.6.2

0.3.1

A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby.

Details

The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.

An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting
length of the name.

This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.

Affected Version

The vulnerability affects the resolv gem bundled with the following Ruby series:

• Ruby 3.2 series: resolv version 0.2.2 and earlier
• Ruby 3.3 series: resolv version 0.3.0
• Ruby 3.4 series: resolv version 0.6.1 and earlier

Credits

Thanks to Manu for discovering this issue.

History

Originally published at 2025-07-08 07:00:00 (UTC)

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-24294
• ruby/resolv@4c2f71b
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resolv/CVE-2025-24294.yml
• https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294

Published to the GitHub Advisory Database

Jul 15, 2025

Last updated

Jul 15, 2025