rubysec · hudakh · Oct 28, 2025 · Oct 29, 2025 · Nov 4, 2025 · Nov 4, 2025
diff --git a/rubies/ruby/CVE‑2025‑24294.yml b/rubies/ruby/CVE‑2025‑24294.yml
@@ -0,0 +1,24 @@
+---
+engine: ruby
+cve: 2025-24294
+url: https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294/
+title: Possible Denial of Service in resolv gem
+date: 2025-07-08
+description: |
+  A denial of service vulnerability has been discovered in the `resolv` gem bundled with Ruby.
+
+  The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet.
+  An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet,
+  the name-decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name.
+  This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition.
+patched_versions:
+  - "~> 3.2.9"
+  - "~> 3.3.9"
+  - ">= 3.4.5"
+related:
+  url:
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/resolv/CVE-2025-24294.yml
+  - https://www.cve.org/CVE-2025-24294
+  - https://www.ruby-lang.org/en/news/2025/07/24/ruby-3-2-9-released/
+  - https://www.ruby-lang.org/en/news/2025/07/24/ruby-3-3-9-released/
+  - https://www.ruby-lang.org/en/news/2025/07/15/ruby-3-4-5-released/