CVE-2025-59530

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions quic-go versions prior to 0.49.0 quic-go versions prior to 0.54.1 quic-go versions prior to 0.55.0

Description quic-go is an implementation of the QUIC protocol in Go. In affected versions, a malicious or misbehaving server can cause a denial-of-service (DoS) attack on the quic-go client. This occurs by triggering an assertion failure, leading to a process crash. The issue is exploitable during the handshake phase and does not require authentication. Specifically, the vulnerability stems from improper handling of the HANDSHAKE DONE frame. A server prematurely sending a HANDSHAKE DONE frame can trigger the issue. This has been observed in real-world attacks with certain server implementations.

Recommendations Update to quic-go version 0.49.0 or later. Update to quic-go version 0.54.1 or later. Update to quic-go version 0.55.0 or later.

Exploit

Fix

DoS

Assertion Failure

Improper Handling of Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-617CWE-755

Related Identifiers

AZL-68778

AZL-68781

CVE-2025-59530

ECHO-F513-4224-6AF9

GHSA-47M2-4CR7-MHCW

GO-2025-4017

OPENSUSE-SU-2025:15710-1

OPENSUSE-SU-2025:15737-1

RHSA-2025:21706

RHSA-2025:21768

RHSA-2025:23069

Affected Products

Debian

Quic-Go

CVE-2025-59530

Weakness Enumeration

Related Identifiers

Affected Products

References · 98