Skip to content

Add CVE-2025-24294: DoS in resolv gem #914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 7, 2025
Merged

Add CVE-2025-24294: DoS in resolv gem #914

merged 4 commits into from
Nov 7, 2025

Conversation

@hudakh
Copy link
Contributor

@hudakh hudakh commented Oct 28, 2025

Description:
Adds an advisory for a denial-of-service vulnerability in the resolv library bundled with Ruby.

Details:
A vulnerability exists in resolv where an attacker can craft a malicious DNS packet with a highly compressed domain name.
During parsing, the name-decompression can consume excessive CPU resources, leading to a thread or application becoming unresponsive (DoS).
Announcement

Affected versions:

  • Ruby 3.2 series: resolv ≤ 0.2.2
  • Ruby 3.3 series: resolv = 0.3.0
  • Ruby 3.4 series: resolv ≤ 0.6.1

References:

@hudakh
Copy link
Contributor Author

hudakh commented Oct 28, 2025

@jasnow for your review

postmodern
postmodern requested changes Oct 29, 2025
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't appear to be in the format of ruby-advisory-db's YAML schema. Please see the examples and YAML schema documentation.

rubies/ruby/CVE‑2025‑24294.yml Outdated
Copy link
Member

@postmodern postmodern Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ruby-advisory-db omits the CVE- from the cve: field.

postmodern
postmodern requested changes Oct 29, 2025
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also will need to list the specific new ruby versions that were released, instead of the resolv gem versions.

postmodern
postmodern requested changes Oct 29, 2025
View reviewed changes
@hudakh
Copy link
Contributor Author

hudakh commented Oct 29, 2025

Thanks @postmodern. All addressed now, apologies for using the wrong schema.

@hudakh hudakh requested a review from postmodern November 3, 2025 00:26
postmodern
postmodern requested changes Nov 4, 2025
View reviewed changes
Copy link
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Linter failed because of the indentation on lines 20-24. Should be four spaces, not two.

@hudakh
Copy link
Contributor Author

hudakh commented Nov 4, 2025

Linter failed because of the indentation on lines 20-24. Should be four spaces, not two.

Just saw that and pushed a fix.

@hudakh hudakh requested a review from postmodern November 4, 2025 04:16
@postmodern postmodern merged commit 52a3cc0 into rubysec:master Nov 7, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern approved these changes

Assignees

@hudakh hudakh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hudakh @postmodern @huda-kh