PT-2025-41573 · Quic-Go+1 · Quic-Go+1

Rsukhodolskyi

Publicado

2025-10-10

Atualizado

2025-11-14

CVE-2025-59530

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions quic-go versions prior to 0.49.0 quic-go versions prior to 0.54.1 quic-go versions prior to 0.55.0

Description quic-go is an implementation of the QUIC protocol in Go. In affected versions, a malicious or misbehaving server can cause a denial-of-service (DoS) attack on the quic-go client. This occurs by triggering an assertion failure, leading to a process crash. The issue is exploitable during the handshake phase and does not require authentication. Specifically, the vulnerability stems from improper handling of the HANDSHAKE DONE frame. A server prematurely sending a HANDSHAKE DONE frame can trigger the issue. This has been observed in real-world attacks with certain server implementations.

Recommendations Update to quic-go version 0.49.0 or later. Update to quic-go version 0.54.1 or later. Update to quic-go version 0.55.0 or later.

Exploit

Correção

DoS

Improper Handling of Exceptional Conditions

Assertion Failure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-755CWE-617

Identificadores relacionados

AZL-68778

AZL-68781

CVE-2025-59530

ECHO-F513-4224-6AF9

GHSA-47M2-4CR7-MHCW

GO-2025-4017

OPENSUSE-SU-2025:15710-1

OPENSUSE-SU-2025:15737-1

RHSA-2025:21706

RHSA-2025:21768

RHSA-2025:23069

Produtos afetados

Debian

Quic-Go

PT-2025-41573 · Quic-Go+1 · Quic-Go+1

CVE-2025-59530

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 98