Description

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.

INFO

Published Date :

2025-10-10T16:09:55.227Z

Last Modified :

2025-10-10T16:31:47.457Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59530 vulnerability.

Vendors Products
Quic-go Project
  • Quic-go
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59530.

URL Resource
https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685 cve-icon cve-icon cve-icon
https://github.com/quic-go/quic-go/pull/5354 cve-icon cve-icon cve-icon
https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-59530 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-59530 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact