Intel

AIKIDO-2026-60073

dns2 is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

46

Medium Risk

This Affects:

JSdns2
1.1.0 - 2.2.1
Fixed in 2.3.0
Are you affected? Scan for Free

TL;DR

Packet.Name.decode in packet.js follows DNS name compression pointers when decoding names but does not track which pointer offsets it has already visited. A crafted DNS message whose name pointers reference each other in a cycle makes the decoder jump between the same offsets endlessly. Because parsing runs on the single-threaded Node.js event loop, one malformed packet causes an infinite loop that hangs the server or client process handling it. The fix records visited pointer targets in a Set and throws Name decode: pointer cycle detected when a pointer target repeats.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses DNS messages from untrusted sources.

Background info

dns2 is vulnerable to Denial of Service (DoS) in versions 1.1.0 - 2.2.1.

How to fix this

Upgrade the dns2 library to the patch version.