VDB
DEBIAN-CVE-2025-64702
DEBIAN-CVE-2025-64702
PUBLISHED
CVSS 5.300000190734863 MEDIUM
quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | golang-github-lucas-clemente-quic-go | 0, 0.24.0-1, 0.25.0-1 |
| Debian:13 | golang-github-lucas-clemente-quic-go | 0.54.0-3, 0, 0.50.1-2 |
| Debian:12 | golang-github-lucas-clemente-quic-go | 0, 0.46.0-2, 0.46.0-2 |
| Debian:14 | golang-github-lucas-clemente-quic-go | 0.54.1-1, 0.55.0-1, 0 |
Timeline
- Dec 11, 2025 CVE Published
- Apr 28, 2026 CVE Updated