It's always DNS part ∞: tracking down a use-after-free bug in Envoy's DNS (www.pomerium.com)

A significant use-after-free bug has been identified in Envoy's DNS resolver library, c-ares, with implications for denial of service (CVE-2025-62408, CVE-2025-67514). This vulnerability can allow an attacker to exploit specific DNS response sequences, leading to application crashes in environments using c-ares versions 1.34.5 or earlier. The issue was discovered when a customer's Pomerium deployment repeatedly crashed under heavy load due to a unique interaction involving a non-fully qualified domain name (NXDOMAIN response) and a connection error occurring in a Kubernetes cluster that utilized NodeLocal DNSCache. The discovery process highlighted the importance of collaboration between users and maintainers in the open-source ecosystem. With the aid of AddressSanitizer, the development team could trace the fault to a race condition stemming from connection handling in the DNS resolver. While the practical attack vector for this bug is narrow—requiring control over a downstream DNS server—the existence of such a memory safety vulnerability in a widely used library raises significant concerns. A patch has been created and successfully implemented for the affected services, demonstrating effective problem-solving and swift collaborative efforts within the community.