Quic-Go Project Quic-Go vulnerabilities

CVE-2025-64702 [MEDIUM] CWE-770 CVE-2025-64702: quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds a

CVE-2023-49295 [MEDIUM] CWE-400 CVE-2023-49295: quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast major

CVE-2023-46239 [HIGH] CWE-248 CVE-2023-46239: quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to ver quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic) when the node attempted to drop the Handshake packet number space. An atta

CVE-2022-30591 [HIGH] CWE-400 CVE-2022-30591: quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the probe timer. NOTE: the vendor's position is that this behavior should not be