CVE-2025-59530
Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go
Description
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
How to fix CVE-2025-59530
To remediate CVE-2025-59530, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.49.1 or later
- —upgrade to 0.49.1 or later
Is CVE-2025-59530 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 0.49.1
- from 0, < 0.49.1, >= 0.50.0, < 0.54.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |