CVE-2025-64702
HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
Description
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
How to fix CVE-2025-64702
To remediate CVE-2025-64702, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 0.57.0 or later
- —upgrade to 0.57.0 or later
Is CVE-2025-64702 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 0.57.0
- from 0, < 0.57.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |