cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard
verified publisher icon cloudflare

Vulnerabilities: stdlib and coredns

Open gabicavalcante opened this issue 3 months ago • 6 comments

Our scan found some High CVEs on cloudflared:

  • coredns
    • CVE-2025-58063
  • stdlib:
    • CVE-2025-4674
    • CVE-2025-47907

Do these CVEs actually affect cloudflared in practice? And is there a patched release planned?

gabicavalcante avatar Sep 16 '25 17:09 gabicavalcante

Same here! Them was found by Aikido.

Image

Details from each vulnerability:

stdlib libc coredns
Image Image Image

jjpaulo2 avatar Sep 16 '25 20:09 jjpaulo2

We will be removing core-dns in the next release. Regarding stdlib and libc those should be fixed in the latest release.

jcsf avatar Sep 22 '25 14:09 jcsf

Hey @jcsf, I saw there were new releases, but I checked the release notes and didn't find the core-dns removal. I might not be looking in the right place. Can you confirm if it was possible to drop this dependency?

gabicavalcante avatar Nov 10 '25 17:11 gabicavalcante

We have not announced coredns removal just yet. At the same time, it only affects customers that use legacy and undocumented cloudflared proxy-dns feature, not cloudflared in general.

nikitacano avatar Nov 10 '25 17:11 nikitacano

This is now publicly announced with a due date set to February 2, 2026: https://developers.cloudflare.com/changelog/2025-11-11-cloudflared-proxy-dns/.

nikitacano avatar Nov 12 '25 18:11 nikitacano

@nikitacano is there any way you guys can still keep this feature? I've been using it for 6 years and on plenty of IoT devices which will be a pain to switch them to another solution (I guess dnscrypt-proxy is one?).

Please reconsider this, there must be some way to keep the functionality, perhaps with another non-vulnerable library?

XhmikosR avatar Nov 28 '25 13:11 XhmikosR