AZL-68778

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68778.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-68778

Upstream

CVE-2025-59530

Published

2025-10-10T16:15:52Z

Modified

2026-04-01T05:21:28.736204Z

Summary

CVE-2025-59530 affecting package coredns for versions less than 1.11.4-11

Details

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKEDONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKEDONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-59530

Affected packages

Azure Linux:3 / coredns

Package

Name: coredns
Purl: pkg:rpm/azure-linux/coredns

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.4-11

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68778.json"