CVE-2025-29785Uncaught Exception in Quic-go Quic-go

CWE-248Uncaught Exception8 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 66.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Quic-go Quic-goQuic-go
Timeline
PublishedJun 2
Latest updateJun 3

Description

quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigge

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Gogithub.com/quic-go_quic-go0.50.00.50.1
CVEListV5quic-go/quic-go= 0.50.0

🔴Vulnerability Details

5
OSV
Panic in Path Probe Loss Recovery Handling in github.com/quic-go/quic-go2025-06-03
GHSA
quic-go Has Panic in Path Probe Loss Recovery Handling2025-06-03
OSV
quic-go Has Panic in Path Probe Loss Recovery Handling2025-06-03
OSV
CVE-2025-29785: quic-go is an implementation of the QUIC protocol in Go2025-06-02
CVEList
quic-go Has Panic in Path Probe Loss Recovery Handling2025-06-02

📋Vendor Advisories

2
Red Hat
quic-go: quic-go Has Panic in Path Probe Loss Recovery Handling2025-06-02
Debian
CVE-2025-29785: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic...2025
CVE-2025-29785 — Uncaught Exception in Quic-go Quic-go | cvebase