rubysec · postmodern · Nov 7, 2025 · Oct 28, 2025 · Oct 29, 2025 · Nov 4, 2025
diff --git a/rubies/ruby/CVE‑2025‑24294.yml b/rubies/ruby/CVE‑2025‑24294.yml
@@ -0,0 +1,27 @@
+title: "CVE-2025-24294: DoS in resolv gem"
+cve: "CVE-2025-24294"
+date: "2025-07-08"
+url: "https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/"
+description: |
+  A denial of service vulnerability has been discovered in the `resolv` gem bundled with Ruby.
+  The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
+  An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet,
+  the name-decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
+  This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
+affected:
+  - ruby: "3.2"
+    gem: "resolv"
+    versions: "<= 0.2.2"
+  - ruby: "3.3"
+    gem: "resolv"
+    versions: "<= 0.3.0"
+  - ruby: "3.4"
+    gem: "resolv"
+    versions: "<= 0.6.1"
+credits:
+  - name: "Manu"
+    source: "HackerOne"
+references:
+  - url: "https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/"
+  - url: "https://www.cve.org/CVE-2025-24294"
+  - url: "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resolv/CVE-2025-24294.yml"