| Name | CVE-2025-24294 |
| Description | The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1109337 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ruby2.7 (PTS) | bullseye | 2.7.4-1+deb11u1 | vulnerable |
| bullseye (security) | 2.7.4-1+deb11u5 | vulnerable | |
| ruby3.1 (PTS) | bookworm, bookworm (security) | 3.1.2-7+deb12u1 | vulnerable |
| ruby3.3 (PTS) | forky, sid, trixie | 3.3.8-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ruby2.7 | source | (unstable) | (unfixed) | |||
| ruby3.1 | source | (unstable) | (unfixed) | |||
| ruby3.3 | source | (unstable) | (unfixed) | 1109337 |
[trixie] - ruby3.3 <no-dsa> (Minor issue)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
[bullseye] - ruby2.7 <postponed> (Minor issue; DoS)
https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/
https://github.com/ruby/resolv/commit/4c2f71b5e80826506f78417d85b38481c058fb25 (v0.6.2)
https://github.com/ruby/resolv/commit/24ed513f028d8e5c76310fcdecf07f79eb721a32 (v0.3.1)
https://github.com/ruby/resolv/commit/cde34cac9d87c37b33c19eede3ed49ac3f465a18 (v0.2.3)