CVE-2025-24294 (UNKNOWN): detected in Lambda Docker Images. #303
Description
CVE Details
| CVE ID | Severity | Affected Package | Installed Version | Fixed Version | Date Published | Date of Scan |
|---|---|---|---|---|---|---|
| CVE-2025-24294 | UNKNOWN |
resolv |
0.6.0 |
~> 0.2.2, ~> 0.3.0, >= 0.6.1 |
2025-07-12T04:15:46.683Z |
2025-07-12T10:20:12.206339762Z |
Affected Docker Images
| Image Name | SHA |
|---|---|
public.ecr.aws/lambda/ruby:latest |
public.ecr.aws/lambda/ruby@sha256:58961303af026dfdff6b76f35e774a2b4bd4ef21c475b24d7841fa8f167386c1 |
public.ecr.aws/lambda/ruby:3.4 |
public.ecr.aws/lambda/ruby@sha256:58961303af026dfdff6b76f35e774a2b4bd4ef21c475b24d7841fa8f167386c1 |
Description
The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
Remediation Steps
- Update the affected package
resolvfrom version0.6.0to~> 0.2.2, ~> 0.3.0, >= 0.6.1.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.