CVE-2025-64702 — Allocation of Resources Without Limits or Throttling in Quic-go

CWE-770 — Allocation of Resources Without Limits or Throttling9 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 76.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Quic-go Github.com Quic-go Quic-go Quic-go Project Quic-go

Timeline

PublishedDec 11

Latest updateDec 15

Description

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS f…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5quic-go/quic-go< 0.57.0

▶NVDquic-go_project/quic-go< 0.57.0

▶Gogithub.com/quic-go_quic-go< 0.57.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go↗2025-12-15

▶

CVEList

quic-go HTTP/3 QPACK Header Expansion DoS↗2025-12-11

▶

OSV

quic-go HTTP/3 QPACK Header Expansion DoS↗2025-12-11

▶

GHSA

quic-go HTTP/3 QPACK Header Expansion DoS↗2025-12-11

▶

OSV

CVE-2025-64702: quic-go is an implementation of the QUIC protocol in Go↗2025-12-11

▶

📋Vendor Advisories

Red Hat

github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS↗2025-12-11

▶

Debian

CVE-2025-64702: golang-github-lucas-clemente-quic-go - quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and bel...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-64702 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶