An attacker can send crafted requests to an internal web server that causes unlimited memory allocation, resulting in a denial of service. The vulnerability stems from insufficient input validation that fails to limit the size of data processed by the server. Attackers could exploit this flaw by repeatedly requesting large payloads until the system exhausts available memory, causing it to become unresponsive. The CVSS score of 4.3 reflects a moderate severity level for a resource exhaustion flaw.

The vulnerability affects the PowerDNS Authoritative server, regardless of the specific version, when the internal web server component is enabled. All installations that have not disabled this feature—or have not applied a later patch—are potentially vulnerable.

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score is unavailable, suggesting no documented exploitation activity to date. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, as the flaw is triggered by external web requests. An attacker only needs to target the internal web server port; the attack does not require privileged access or authentication. Because the feature is disabled by default, the risk is mitigated for most users who have not enabled the internal web server. However, any configuration that turns this component on exposes the system to potential memory exhaustion and eventual denial of service.