CVE-2025-62408 - Vulnerability Details - OpenCVE

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
C-ares	C-ares

No data.

No data.

References

Link	Providers
https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618
https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5

History

Tue, 09 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Dec 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		C-ares C-ares c-ares
Vendors & Products		C-ares C-ares c-ares

Mon, 08 Dec 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description		c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.
Title		c-ares has a Use After Free vulnerability when connection is cleaned up after error
Weaknesses		CWE-416
References		https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618 https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-12-08T22:04:08.565Z

Updated: 2025-12-09T16:05:06.098Z

Reserved: 2025-10-13T16:26:12.178Z

Link: CVE-2025-62408

Vulnrichment

Updated: 2025-12-09T14:20:06.524Z

NVD

Status : Awaiting Analysis

Published: 2025-12-08T22:15:52.620

Modified: 2025-12-09T18:37:33.427

Link: CVE-2025-62408

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62408", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-13T16:26:12.178Z", "datePublished": "2025-12-08T22:04:08.565Z", "dateUpdated": "2025-12-09T16:05:06.098Z"}, "containers": {"cna": {"title": "c-ares has a Use After Free vulnerability when connection is cleaned up after error", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5"}, {"name": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618", "tags": ["x_refsource_MISC"], "url": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618"}], "affected": [{"vendor": "c-ares", "product": "c-ares", "versions": [{"version": "> 1.32.3, < 1.34.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-08T22:04:08.565Z"}, "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6."}], "source": {"advisory": "GHSA-jq53-42q6-pqr5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-09T14:20:03.531539Z", "id": "CVE-2025-62408", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T16:05:06.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62408", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-09T14:20:03.531539Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-09T14:20:06.524Z"}}], "cna": {"title": "c-ares has a Use After Free vulnerability when connection is cleaned up after error", "source": {"advisory": "GHSA-jq53-42q6-pqr5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "c-ares", "product": "c-ares", "versions": [{"status": "affected", "version": "> 1.32.3, < 1.34.6"}]}], "references": [{"url": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5", "name": "https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618", "name": "https://github.com/c-ares/c-ares/commit/714bf5675c541bd1e668a8db8e67ce012651e618", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-12-08T22:04:08.565Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62408", "state": "PUBLISHED", "dateUpdated": "2025-12-09T16:05:06.098Z", "dateReserved": "2025-10-13T16:26:12.178Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-12-08T22:04:08.565Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}