VYPR
Moderate severityNVD Advisory· Published Dec 11, 2025· Updated Dec 12, 2025

quic-go HTTP/3 QPACK Header Expansion DoS

CVE-2025-64702

Description

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/quic-go/quic-goGo
< 0.57.00.57.0

Affected products

302

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.