Infinite loop triggered by connection ID retirement

Vulnerability

Description

CVE-2025-7054 is an infinite loop vulnerability in Cloudflare's quiche, which is an implementation of the QUIC transport protocol and HTTP/3. The bug occurs in the logic that handles sending packets containing RETIRE_CONNECTION_ID frames. After a QUIC handshake completes, the local endpoint is responsible for issuing and retiring connection IDs used by the remote peer. Each connection ID has a sequence number to synchronize state between peers [1][2].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by first completing a QUIC handshake with a victim running a vulnerable version of quiche. The attacker then sends a specially crafted set of frames that trigger a connection ID retirement on the victim. Per RFC 9000 Section 19.16, a packet cannot contain a RETIRE_CONNECTION_ID frame that retires the same sequence number as the connection ID used by that packet. However, in scenarios such as path migration, multiple active paths exist with different connection IDs that could be used to retire each other. The exploit triggered an unintended behavior in quiche's design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop [2][3].

Impact

An attacker who successfully exploits this vulnerability can cause the victim's quiche endpoint to enter an infinite loop. This can effectively act as a denial-of-service (DoS) condition, preventing the affected QUIC endpoint from processing valid packets or making progress on the connection. No authentication is required beyond establishing the initial QUIC handshake.

Mitigation

The vulnerability affects quiche versions from 0.15.0 before 0.24.5. The fix was included in quiche version 0.24.5. Users should upgrade to this version or later to mitigate the risk [3].