Description
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
Remediation
References
Related Vulnerabilities
Oracle Database Server Out-of-bounds Read Vulnerability (CVE-2025-53051)
WebLogic Missing Authentication for Critical Function Vulnerability (CVE-2026-35301)
Moodle Improper Input Validation Vulnerability (CVE-2019-3847)
Plone CMS Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2012-5488)