CVE-2025-59530
Description
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/quic-go/quic-goGo | < 0.49.1 | 0.49.1 |
github.com/quic-go/quic-goGo | >= 0.50.0, < 0.54.1 | 0.54.1 |
Affected products
194- osv-coords193 versionspkg:apk/chainguard/caddypkg:apk/chainguard/caddy-fipspkg:apk/chainguard/caddy-manpkg:apk/chainguard/caddy-srcpkg:apk/chainguard/coredns-1.12pkg:apk/chainguard/coredns-1.12-compatpkg:apk/chainguard/coredns-fips-1.12pkg:apk/chainguard/dkronpkg:apk/chainguard/dkron-compatpkg:apk/chainguard/dkron-executor-gcppubsubpkg:apk/chainguard/dkron-executor-gcppubsub-compatpkg:apk/chainguard/dkron-executor-grpcpkg:apk/chainguard/dkron-executor-grpc-compatpkg:apk/chainguard/dkron-executor-kafkapkg:apk/chainguard/dkron-executor-kafka-compatpkg:apk/chainguard/dkron-executor-natspkg:apk/chainguard/dkron-executor-nats-compatpkg:apk/chainguard/dkron-executor-rabbitmqpkg:apk/chainguard/dkron-executor-rabbitmq-compatpkg:apk/chainguard/dkron-fipspkg:apk/chainguard/dkron-fips-compatpkg:apk/chainguard/dkron-fips-executor-gcppubsubpkg:apk/chainguard/dkron-fips-executor-gcppubsub-compatpkg:apk/chainguard/dkron-fips-executor-grpcpkg:apk/chainguard/dkron-fips-executor-grpc-compatpkg:apk/chainguard/dkron-fips-executor-kafkapkg:apk/chainguard/dkron-fips-executor-kafka-compatpkg:apk/chainguard/dkron-fips-executor-natspkg:apk/chainguard/dkron-fips-executor-nats-compatpkg:apk/chainguard/dkron-fips-executor-rabbitmqpkg:apk/chainguard/dkron-fips-executor-rabbitmq-compatpkg:apk/chainguard/dkron-fips-processor-filespkg:apk/chainguard/dkron-fips-processor-files-compatpkg:apk/chainguard/dkron-fips-processor-fluentpkg:apk/chainguard/dkron-fips-processor-fluent-compatpkg:apk/chainguard/dkron-fips-processor-logpkg:apk/chainguard/dkron-fips-processor-log-compatpkg:apk/chainguard/dkron-fips-processor-syslogpkg:apk/chainguard/dkron-fips-processor-syslog-compatpkg:apk/chainguard/dkron-processor-filespkg:apk/chainguard/dkron-processor-files-compatpkg:apk/chainguard/dkron-processor-fluentpkg:apk/chainguard/dkron-processor-fluent-compatpkg:apk/chainguard/dkron-processor-logpkg:apk/chainguard/dkron-processor-log-compatpkg:apk/chainguard/dkron-processor-syslogpkg:apk/chainguard/dkron-processor-syslog-compatpkg:apk/chainguard/eks-distro-coredns-1.29pkg:apk/chainguard/eks-distro-coredns-1.30pkg:apk/chainguard/eks-distro-coredns-1.31pkg:apk/chainguard/eks-distro-coredns-1.32pkg:apk/chainguard/eks-distro-coredns-1.33pkg:apk/chainguard/eks-distro-coredns-1.34pkg:apk/chainguard/eks-distro-coredns-fips-1.29pkg:apk/chainguard/eks-distro-coredns-fips-1.30pkg:apk/chainguard/eks-distro-coredns-fips-1.31pkg:apk/chainguard/eks-distro-coredns-fips-1.32pkg:apk/chainguard/eks-distro-coredns-fips-1.33pkg:apk/chainguard/eks-distro-coredns-fips-1.34pkg:apk/chainguard/frppkg:apk/chainguard/ipfs-clusterpkg:apk/chainguard/ipfs-cluster-fipspkg:apk/chainguard/jitsucom-bulker-bulkerpkg:apk/chainguard/jitsucom-bulker-ingestpkg:apk/chainguard/jitsucom-bulker-ingmgrpkg:apk/chainguard/jitsucom-bulker-sidecarpkg:apk/chainguard/jitsucom-bulker-syncctlpkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.31pkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-1.33pkg:apk/chainguard/k3s-embeddedpkg:apk/chainguard/k3s-imagespkg:apk/chainguard/k3s-multicallpkg:apk/chainguard/k3s-multicall-1.31pkg:apk/chainguard/k3s-multicall-1.32pkg:apk/chainguard/k3s-multicall-1.33pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.31pkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/k3s-static-1.33pkg:apk/chainguard/k8s_gatewaypkg:apk/chainguard/k8s_gateway-compatpkg:apk/chainguard/k8s_gateway-fipspkg:apk/chainguard/k8s_gateway-fips-compatpkg:apk/chainguard/kargopkg:apk/chainguard/kubernetes-dns-node-cachepkg:apk/chainguard/kubernetes-dns-node-cache-fipspkg:apk/chainguard/kubopkg:apk/chainguard/kubo-compatpkg:apk/chainguard/kubo-fipspkg:apk/chainguard/kubo-fips-compatpkg:apk/chainguard/kuma-coredns-1.12pkg:apk/chainguard/kyverno-policy-reporter-uipkg:apk/chainguard/kyverno-policy-reporter-ui-compatpkg:apk/chainguard/kyverno-policy-reporter-ui-fipspkg:apk/chainguard/kyverno-policy-reporter-ui-fips-compatpkg:apk/chainguard/qpkg:apk/chainguard/rke2-runtime-1.31pkg:apk/chainguard/rke2-runtime-1.31-chartspkg:apk/chainguard/rke2-runtime-1.32pkg:apk/chainguard/rke2-runtime-1.32-chartspkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.33-chartspkg:apk/chainguard/rke2-runtime-1.33-compatpkg:apk/chainguard/spegelpkg:apk/chainguard/spegel-compatpkg:apk/chainguard/spegel-fipspkg:apk/chainguard/spegel-fips-compatpkg:apk/chainguard/syncthingpkg:apk/chainguard/syncthing-fipspkg:apk/chainguard/teleport-17pkg:apk/chainguard/teleport-17-kube-agent-updaterpkg:apk/chainguard/teleport-17-kube-agent-updater-compatpkg:apk/chainguard/teleport-17-operatorpkg:apk/chainguard/teleport-17-operator-compatpkg:apk/chainguard/teleport-18pkg:apk/chainguard/teleport-18-kube-agent-updaterpkg:apk/chainguard/teleport-18-kube-agent-updater-compatpkg:apk/chainguard/teleport-18-operatorpkg:apk/chainguard/teleport-18-operator-compatpkg:apk/chainguard/traefik-2.11pkg:apk/chainguard/traefik-3.3pkg:apk/chainguard/traefik-3.4pkg:apk/chainguard/traefik-3.5pkg:apk/chainguard/traefik-fips-2.11pkg:apk/chainguard/traefik-fips-3.3pkg:apk/chainguard/traefik-fips-3.4pkg:apk/chainguard/traefik-fips-3.5pkg:apk/wolfi/caddypkg:apk/wolfi/caddy-manpkg:apk/wolfi/caddy-srcpkg:apk/wolfi/dkronpkg:apk/wolfi/dkron-compatpkg:apk/wolfi/dkron-executor-gcppubsubpkg:apk/wolfi/dkron-executor-gcppubsub-compatpkg:apk/wolfi/dkron-executor-grpcpkg:apk/wolfi/dkron-executor-grpc-compatpkg:apk/wolfi/dkron-executor-kafkapkg:apk/wolfi/dkron-executor-kafka-compatpkg:apk/wolfi/dkron-executor-natspkg:apk/wolfi/dkron-executor-nats-compatpkg:apk/wolfi/dkron-executor-rabbitmqpkg:apk/wolfi/dkron-executor-rabbitmq-compatpkg:apk/wolfi/dkron-processor-filespkg:apk/wolfi/dkron-processor-files-compatpkg:apk/wolfi/dkron-processor-fluentpkg:apk/wolfi/dkron-processor-fluent-compatpkg:apk/wolfi/dkron-processor-logpkg:apk/wolfi/dkron-processor-log-compatpkg:apk/wolfi/dkron-processor-syslogpkg:apk/wolfi/dkron-processor-syslog-compatpkg:apk/wolfi/frppkg:apk/wolfi/ipfs-clusterpkg:apk/wolfi/jitsucom-bulker-bulkerpkg:apk/wolfi/jitsucom-bulker-ingestpkg:apk/wolfi/jitsucom-bulker-ingmgrpkg:apk/wolfi/jitsucom-bulker-sidecarpkg:apk/wolfi/jitsucom-bulker-syncctlpkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-1.33pkg:apk/wolfi/k3s-embeddedpkg:apk/wolfi/k3s-imagespkg:apk/wolfi/k3s-multicallpkg:apk/wolfi/k3s-multicall-1.32pkg:apk/wolfi/k3s-multicall-1.33pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/k3s-static-1.33pkg:apk/wolfi/k8s_gatewaypkg:apk/wolfi/k8s_gateway-compatpkg:apk/wolfi/kargopkg:apk/wolfi/kubernetes-dns-node-cachepkg:apk/wolfi/kubopkg:apk/wolfi/kubo-compatpkg:apk/wolfi/kyverno-policy-reporter-uipkg:apk/wolfi/kyverno-policy-reporter-ui-compatpkg:apk/wolfi/qpkg:apk/wolfi/spegelpkg:apk/wolfi/spegel-compatpkg:apk/wolfi/teleport-17pkg:apk/wolfi/teleport-18pkg:apk/wolfi/teleport-18-kube-agent-updaterpkg:apk/wolfi/teleport-18-kube-agent-updater-compatpkg:apk/wolfi/teleport-18-operatorpkg:apk/wolfi/teleport-18-operator-compatpkg:apk/wolfi/traefik-3.3pkg:apk/wolfi/traefik-3.4pkg:apk/wolfi/traefik-3.5pkg:golang/github.com/quic-go/quic-gopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/teleport&distro=openSUSE%20Tumbleweed
< 2.10.2-r2+ 192 more
- (no CPE)range: < 2.10.2-r2
- (no CPE)range: < 2.10.2-r1
- (no CPE)range: < 2.10.2-r2
- (no CPE)range: < 2.10.2-r2
- (no CPE)range: < 1.12.4-r3
- (no CPE)range: < 1.12.4-r3
- (no CPE)range: < 1.12.4-r3
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 1.29.55-r1
- (no CPE)range: < 1.30.48-r1
- (no CPE)range: < 1.31.40-r0
- (no CPE)range: < 1.32.30-r1
- (no CPE)range: < 1.33.20-r1
- (no CPE)range: < 1.34.11-r1
- (no CPE)range: < 1.29.58-r0
- (no CPE)range: < 1.30.48-r1
- (no CPE)range: < 1.31.37-r1
- (no CPE)range: < 1.32.30-r1
- (no CPE)range: < 1.33.20-r1
- (no CPE)range: < 1.34.11-r1
- (no CPE)range: < 0.65.0-r1
- (no CPE)range: < 1.1.5-r0
- (no CPE)range: < 1.1.5-r0
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 0
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.31.6.1-r4
- (no CPE)range: < 1.32.9.1-r1
- (no CPE)range: < 1.33.5.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.31.6.1-r4
- (no CPE)range: < 1.32.9.1-r1
- (no CPE)range: < 1.33.5.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.31.6.1-r4
- (no CPE)range: < 1.32.9.1-r1
- (no CPE)range: < 1.33.5.1-r1
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r1
- (no CPE)range: < 1.6.0-r1
- (no CPE)range: < 1.9.5-r1
- (no CPE)range: < 1.26.5-r2
- (no CPE)range: < 1.26.5-r2
- (no CPE)range: < 0.38.1-r1
- (no CPE)range: < 0.38.1-r1
- (no CPE)range: < 0.38.1-r1
- (no CPE)range: < 0.38.1-r1
- (no CPE)range: < 1.12.4-r3
- (no CPE)range: < 2.4.4-r1
- (no CPE)range: < 2.4.4-r1
- (no CPE)range: < 2.4.4-r1
- (no CPE)range: < 2.4.4-r1
- (no CPE)range: < 0.19.9-r1
- (no CPE)range: < 1.31.13.2.1-r1
- (no CPE)range: < 1.31.13.2.1-r1
- (no CPE)range: < 1.32.9.2.1-r2
- (no CPE)range: < 1.32.9.2.1-r2
- (no CPE)range: < 1.33.5.2.1-r1
- (no CPE)range: < 1.33.5.2.1-r1
- (no CPE)range: < 1.33.5.2.1-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 2.0.12-r0
- (no CPE)range: < 2.0.12-r0
- (no CPE)range: < 17.7.7-r1
- (no CPE)range: < 17.7.7-r1
- (no CPE)range: < 17.7.7-r1
- (no CPE)range: < 17.7.7-r1
- (no CPE)range: < 17.7.7-r1
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 2.11.29-r2
- (no CPE)range: < 3.3.7-r7
- (no CPE)range: < 3.4.5-r3
- (no CPE)range: < 3.5.3-r1
- (no CPE)range: < 2.11.29-r1
- (no CPE)range: < 3.3.7-r7
- (no CPE)range: < 3.4.5-r3
- (no CPE)range: < 3.5.3-r1
- (no CPE)range: < 2.10.2-r2
- (no CPE)range: < 2.10.2-r2
- (no CPE)range: < 2.10.2-r2
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 4.0.8-r1
- (no CPE)range: < 0.65.0-r1
- (no CPE)range: < 1.1.5-r0
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 0
- (no CPE)range: < 2.11.913-r35
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.32.9.1-r1
- (no CPE)range: < 1.33.5.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.32.9.1-r1
- (no CPE)range: < 1.33.5.1-r1
- (no CPE)range: < 1.34.1.1-r1
- (no CPE)range: < 1.32.9.1-r1
- (no CPE)range: < 1.33.5.1-r1
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.6.0-r2
- (no CPE)range: < 1.9.5-r1
- (no CPE)range: < 1.26.5-r2
- (no CPE)range: < 0.38.1-r1
- (no CPE)range: < 0.38.1-r1
- (no CPE)range: < 2.4.4-r1
- (no CPE)range: < 2.4.4-r1
- (no CPE)range: < 0.19.9-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 17.7.7-r1
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 18.2.10-r0
- (no CPE)range: < 3.3.7-r7
- (no CPE)range: < 3.4.5-r3
- (no CPE)range: < 3.5.3-r1
- (no CPE)range: < 0.49.1
- (no CPE)range: < 0.0.20251105T184115-1.1
- (no CPE)range: < 17.7.10-1.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-47m2-4cr7-mhcwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59530ghsaADVISORY
- github.com/quic-go/quic-go/blob/v0.55.0/connection.gonvdWEB
- github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749cghsaWEB
- github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42ghsaWEB
- github.com/quic-go/quic-go/pull/5354nvdWEB
- github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcwnvdWEB
- pkg.go.dev/vuln/GO-2025-4017ghsaWEB
News mentions
0No linked articles in our index yet.