Skip to content

Translate CVE-2025-24294 (zh_cn) #3586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 10, 2025
Merged

Translate CVE-2025-24294 (zh_cn) #3586

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions zh_cn/news/_posts/2025-07-08-dos-resolv-cve-2025-24294.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
---
layout: news_post
title: "CVE-2025-24294: resolv gem 中的拒绝服务攻击漏洞"
author: "mame"
translator: GAO Jun
date: 2025-07-08 07:00:00 +0000
tags: security
lang: zh_cn
---

Ruby 绑定的 `resolv` gem 中发现了一个拒绝服务攻击漏洞。
此漏洞的 CVE 编号为 [CVE-2025-24294]。
我们建议您更新 `resolv` gem。

## 详情

此漏洞源于未有效检验 DNS 包中的域名在解压缩后的长度。

攻击者可以构造一个 DNS 包,其中的域名信息经过高度压缩。
当 `resolve` 库解析这个包时,由于没有限制域名解压缩后的长度,解压缩进程会消耗大量的 CPU 资源。

这样的资源消耗可能会导致应用程序进程无法响应,从而导致拒绝服务。

## 受影响版本

此漏洞影响多个 Ruby 版本系列的绑定 `resolv` gem:

* Ruby 3.2 系列:`resolv` 0.2.2 及更早版本
* Ruby 3.3 系列:`resolv` 0.3.0
* Ruby 3.4 系列:`resolv` 0.6.1 及更早版本

## 致谢

感谢 [Manu] 发现此问题。

## 历史

* 最初发布于 2025-07-08 07:00:00 (UTC)

[CVE-2025-24294]: https://www.cve.org/CVERecord?id=CVE-2025-24294
[Manu]: https://hackerone.com/manun
Loading