CVE-2025-64702

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions quic-go versions 0.56.0 and below

Description quic-go, an implementation of the QUIC protocol in Go, is susceptible to excessive memory allocation. This occurs through the HTTP/3 client and server implementations when processing a QPACK-encoded HEADERS frame that expands into a large header field section, containing numerous unique header names and/or large values. The implementation constructs an http.Header without adequately limiting the size of the decoded header, leading to potential memory exhaustion.

Recommendations Update to version 0.57.0 or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CLEANSTART-2026-VJ54611

CVE-2025-64702

GHSA-G754-HX8W-X2G6

GO-2025-4233

OPENSUSE-SU-2026:10035-1

OPENSUSE-SU-2026:10131-1

OPENSUSE-SU-2026:20191-1

OPENSUSE-SU-2026:20809-1

SUSE-SU-2026:0037-1

Affected Products

Debian

Quic-Go

CVE-2025-64702

Weakness Enumeration

Related Identifiers

Affected Products

References · 160