CVE-2025-29785

Name of the Vulnerable Software and Affected Versions quic-go versions 0.50.0

Description The loss recovery logic for path probe packets in quic-go can be exploited by a malicious QUIC client to trigger a nil-pointer dereference. This is achieved by sending valid QUIC packets from different remote addresses, triggering the path validation logic and causing the server to send path probe packets, followed by sending specifically crafted ACKs for packets received from the server.

Recommendations For quic-go version 0.50.0, update to version 0.50.1, which contains a patch that fixes the vulnerability.