VYPR

Quic Go

by Quic Go

Source repositories

CVEs (9)

  • CVE-2025-59530HigOct 10, 2025
    risk 0.42cvss 7.5epss 0.00

    quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This…

  • CVE-2025-29785HigJun 2, 2025
    risk 0.42cvss 7.5epss 0.00

    quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC…

  • CVE-2024-22189HigApr 4, 2024
    risk 0.42cvss 7.5epss 0.01

    quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame…

  • CVE-2024-53259MedDec 2, 2024
    risk 0.35cvss 6.5epss 0.01

    quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send…

  • CVE-2026-40898MedJun 4, 2026
    risk 0.27cvss 5.3epss 0.00

    quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with…

  • CVE-2022-30591Jul 6, 2022
    risk 0.01cvss epss 0.02

    quic-go through 0.27.0 allows remote attackers to cause a denial of service (CPU consumption) via a Slowloris variant in which incomplete QUIC or HTTP/3 requests are sent. This occurs because mtu_discoverer.go misparses the MTU Discovery service and consequently overflows the…

  • CVE-2025-64702Dec 11, 2025
    risk 0.00cvss epss 0.00

    quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section…

  • CVE-2023-49295Jan 10, 2024
    risk 0.00cvss epss 0.01

    quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE…

  • CVE-2023-46239Oct 31, 2023
    risk 0.00cvss epss 0.01

    quic-go is an implementation of the QUIC protocol in Go. Starting in version 0.37.0 and prior to version 0.37.3, by serializing an ACK frame after the CRYTPO that allows a node to complete the handshake, a remote node could trigger a nil pointer dereference (leading to a panic)…