Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
DNS is network-accessible with no auth or interaction required; A:L reflects the default SERVFAIL outcome, with crash only when non-default debug directive is active.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
CoreDNS is a DNS server written in Go. Prior to 1.14.5, the CoreDNS rewrite plugin supports edns0 rewrite rules with an optional revert flag, and two response rules, edns0SetResponseRule and edns0ReplaceResponseRule[T] in plugin/rewrite/edns0.go, call res.IsEdns0() and immediately dereference the returned *dns.OPT without a nil check when a downstream plugin returns a response with no OPT record. A remote, unauthenticated client can send a single ordinary DNS query matching a rewrite edns0 <local|nsid|subnet> <set|append|replace> ... revert rule, causing ResponseReverter in plugin/rewrite/reverter.go to panic, return SERVFAIL, and degrade availability, or crash the CoreDNS process if the debug directive disables recovery. This issue is fixed in version 1.14.5.
AnalysisAI
Nil pointer dereference in CoreDNS prior to 1.14.5 allows remote unauthenticated attackers to crash or degrade the DNS server by sending a single ordinary DNS query. The rewrite plugin's edns0 response rules dereference the result of IsEdns0() without a nil check; when a downstream plugin returns a response lacking an OPT record, the ResponseReverter panics, returning SERVFAIL in default deployments or terminating the CoreDNS process entirely when the debug directive is active. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the CoreDNS rewrite plugin is configured with at least one edns0 rewrite rule that includes the optional revert flag - specifically using the form 'rewrite edns0 <local|nsid|subnet> <set|append|replace> ... … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L accurately reflects the default-deployment outcome: a SERVFAIL response rather than a process crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a CoreDNS instance that has an edns0 rewrite revert rule configured sends a single standard DNS A query (no OPT record required) for a domain matching the rule's pattern. CoreDNS rewrites the request, forwards it to a downstream handler, and the handler returns a response without an OPT record; during response post-processing, the ResponseReverter dereferences a nil pointer and panics. … |
| Remediation | Upgrade CoreDNS to version 1.14.5, which contains the nil-guard fix introduced in commit fc447d0658b093edc8cd29a6b171216a44a644c2 via PR #8190; the release is at https://github.com/coredns/coredns/releases/tag/v1.14.5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Coredns versions up to 1.14.2 contains a vulnerability that allows attackers to crash the DNS server by sending speciall
CoreDNS versions prior to 1.14.2 allow authenticated attackers to bypass DNS access controls through a Time-of-Check Tim
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTT
A denial of service vulnerability in versions (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vend
Remote denial of service in CoreDNS versions prior to 1.14.4 allows an unauthenticated attacker to crash the DNS server
Unhandled Go runtime panic in CoreDNS 1.9.4 through 1.14.4 allows a network-reachable DNS client with AXFR permission to
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45020