216.73.216.75

CVE-2025-59530

· Published 10/10/2025 16:15 · Modified 10/10/2025 16:15

Labels: CVE-2025-59530 2025-10-10CVE-2025-59530CWE-617[email protected]

Essential information

Published
10/10/2025 16:15
Modified
10/10/2025 16:15
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
quic-go / quic-go cpe:2.3:a:quic-go:quic-go:<0.49.0:*:*:*:*:*:*:*
quic-go / quic-go cpe:2.3:a:quic-go:quic-go:0.49.0:*:*:*:*:*:*:*
quic-go / quic-go cpe:2.3:a:quic-go:quic-go:0.54.1:*:*:*:*:*:*:*
quic-go / quic-go cpe:2.3:a:quic-go:quic-go:0.55.0:*:*:*:*:*:*:*

References