Description

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

INFO

Published Date :

2025-12-11T20:58:10.517Z

Last Modified :

2025-12-12T20:45:30.439Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-64702 vulnerability.

Vendors Products
Quic-go Project
  • Quic-go
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64702.

URL Resource
https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8 cve-icon cve-icon cve-icon
https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-64702 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-64702 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact