ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
- ~> 0.2.2
- ~> 0.3.0
- >= 0.6.1
DESCRIPTION
A denial of service vulnerability has been discovered in the resolv gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2025-24294. We recommend upgrading the resolv gem.
Details
The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
Affected Version
The vulnerability affects the resolv gem bundled with the following Ruby series:
- Ruby 3.2 series: resolv version 0.2.2 and earlier
- Ruby 3.3 series: resolv version 0.3.0
- Ruby 3.4 series: resolv version 0.6.1 and earlier
Credits
Thanks to Manu for discovering this issue.
History
Originally published at 2025-07-08 07:00:00 (UTC)
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2025-24294
- https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294
- https://rubygems.org/gems/resolv
- https://www.cve.org/CVERecord?id=CVE-2025-24294
- https://www.vuxml.org/freebsd/eed1a411-699b-11f0-91fe-000c295725e4.html
- https://github.com/advisories/GHSA-xh69-987w-hrp8