CVE-2025-59530Reachable Assertion in Quic-go

CWE-617Reachable AssertionCWE-755Improper Handling of Exceptional Conditions9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 89.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Quic-goGithub.com Quic-go Quic-go
Timeline
PublishedOct 10
Latest updateNov 5

Description

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including th

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5quic-go/quic-go< 0.49.1+1
Gogithub.com/quic-go_quic-go0.50.00.54.1+1

🔴Vulnerability Details

5
OSV
Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go2025-11-05
GHSA
quic-go: Panic occurs when queuing undecryptable packets after handshake completion2025-10-10
CVEList
quic-go has Client Crash Due to Premature HANDSHAKE_DONE Frame2025-10-10
OSV
CVE-2025-59530: quic-go is an implementation of the QUIC protocol in Go2025-10-10
OSV
quic-go: Panic occurs when queuing undecryptable packets after handshake completion2025-10-10

📋Vendor Advisories

3
Microsoft
quic-go has Client Crash Due to Premature HANDSHAKE_DONE Frame2025-10-14
Red Hat
github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame2025-10-10
Debian
CVE-2025-59530: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0....2025
CVE-2025-59530 — Reachable Assertion in Quic-go | cvebase