CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64702.json",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/quic-go/quic-go

Affected ranges

Type

GIT

Repo

https://github.com/quic-go/quic-go

Events

Introduced

Fixed

5b2d2129f8315da41e01eff0a847ab38a34e83a8

Database specific

{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.57.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "0.57.0"
        }
    ],
    "cpe": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*"
}

Affected versions

v.*

v.0.21

v0.*

v0.21.0

v0.21.1

v0.22.0

v0.23.0

v0.24.0

v0.25.0

v0.26.0

v0.27.0

v0.28.0

v0.28.1

v0.29.0

v0.30.0

v0.31.0

v0.31.1

v0.32.0

v0.33.0

v0.34.0

v0.35.0

v0.35.1

v0.36.0

v0.37.0

v0.37.1

v0.38.0

v0.38.1

v0.39.0

v0.4

v0.40.0

v0.41.0

v0.42.0

v0.43.0

v0.44.0

v0.45.0

v0.46.0

v0.47.0

v0.48.0

v0.48.1

v0.49.0

v0.5.0

v0.50.0

v0.51.0

v0.52.0

v0.53.0

v0.54.0

v0.55.0

v0.56.0

v0.6.0

v0.7.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-64702.json"