CVE-2025-30403

Vulnerability

CVE-2025-30403 is a heap-buffer-overflow vulnerability in Facebook's mvfst library, which implements the QUIC transport protocol. The bug originates in the BufWriter::sizeCheck function, where a debug assertion (DCHECK) was the only guard against writing beyond an allocated buffer's limits. In production builds, debug assertions are typically disabled, meaning oversized writes could silently corrupt the heap [1] [2].

Exploitation

An attacker can trigger this overflow by sending a specially crafted QUIC message to an unpatched server. The attack requires no prior authentication and can be performed over the network, as the vulnerable code is exercised during normal QUIC session message processing. The commit history shows the original DCHECK was replaced with a hard CHECK that always validates the write size, preventing the overflow [1].

Impact

Successful exploitation causes a heap-based buffer overflow, which can corrupt adjacent memory. While the advisory does not confirm remote code execution, the severity (CVSS 8.1) suggests the crash can reliably lead to a denial of service, and in some configurations may allow further memory corruption that could be leveraged by an attacker. The vulnerability affects mvfst versions from v2025.03.24.00 up to (but not including) v2025.07.07.00 [2].

Mitigation

Users must upgrade to mvfst v2025.07.07.00 or later, which includes the hardening change in commit 65b2973. No workaround is provided; applying the update is the only recommended mitigation. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.