CVE-2025-7054

Name of the Vulnerable Software and Affected Versions Cloudflare quiche versions 0.15.0 through 0.24.5

Description Cloudflare quiche is susceptible to an infinite loop when processing packets containing RETIRE CONNECTION ID frames. QUIC connections utilize connection identifiers (IDs) with sequence numbers to maintain synchronization between peers. An unauthenticated remote attacker can trigger this issue by sending specially crafted frames after completing a handshake, causing the victim to enter an infinite loop when attempting to send packets with RETIRE CONNECTION ID frames. This occurs due to a design feature supporting retirement across paths while maintaining connection ID synchronization.

Recommendations Cloudflare quiche versions prior to 0.24.5 are affected. Upgrade to version 0.24.5 or later to resolve this issue.