Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-64702

Опубликовано: 11 дек. 2025
Источник: debian
EPSS Низкий

Описание

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
golang-github-lucas-clemente-quic-gounfixedpackage
golang-github-lucas-clemente-quic-gono-dsatrixiepackage
golang-github-lucas-clemente-quic-gono-dsabookwormpackage
golang-github-lucas-clemente-quic-gono-dsabullseyepackage

Примечания

  • https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6

  • Fixed by: https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8 (v0.57.0)

EPSS

Процентиль: 17%
0.00056
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2025-64702

CVSS3: 5.3
ubuntu
около 2 месяцев назад

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

nvd логотип

CVE-2025-64702

CVSS3: 5.3
nvd
около 2 месяцев назад

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

github логотип

GHSA-g754-hx8w-x2g6

CVSS3: 5.3
github
около 2 месяцев назад

quic-go HTTP/3 QPACK Header Expansion DoS

EPSS

Процентиль: 17%
0.00056
Низкий