Denial-of-Service Vulnerability in quic-go Implementation of QUIC Protocol
CVE-2025-59530

7.5HIGH

Key Information:

Vendor

Quic-go

Status
Quic-go
Vendor
CVE Published:
10 October 2025

What is CVE-2025-59530?

The quic-go implementation of the QUIC protocol is susceptible to a Denial-of-Service (DoS) attack in versions prior to 0.49.0, 0.54.1, and 0.55.0. A malicious server can exploit this vulnerability by causing an assertion failure in the quic-go client during the handshake phase, which could result in the client's process crashing. This attack can be executed without authentication and has been observed in real-world scenarios, highlighting the necessity for robust handling of unexpected server behaviors, such as premature sending of a HANDSHAKE_DONE frame. The newer versions of quic-go mitigate this risk by discarding Initial keys when faced with such invalid frames.

Affected Version(s)

quic-go < 0.49.1 < 0.49.1

quic-go >= 0.5.0, < 0.54.1 < 0.5.0, 0.54.1

References

https://github.com/quic-go/quic-go/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/quic-go/quic-go/pull/5354
x_refsource_MISC
https://github.com/quic-go/quic-go/blob/v0.55.0/connectio...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59530 : Denial-of-Service Vulnerability in quic-go Implementation of QUIC Protocol