CVE-2025-4821
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-18

Last updated on: 2025-11-06

Assigner: Cloudflare, Inc.

Description
Impact Cloudflare quiche was discovered to be vulnerable to incorrect congestion window growth, which could cause it to send data at a rate faster than the path might actually support. An unauthenticated remote attacker can exploit the vulnerability by first completing a handshake and initiating a congestion-controlled data transfer towards itself. Then, it could manipulate the victim's congestion control state by sending ACK frames covering a large range of packet numbers (including packet numbers that had never been sent); see RFC 9000 Section 19.3. The victim could grow the congestion window beyond typical expectations and allow more bytes in flight than the path might really support. In extreme cases, the window might grow beyond the limit of the internal variable's type, leading to an overflow panic. Patches quiche 0.24.4 is the earliest version containing the fix for this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-18
Last Modified
2025-11-06
Generated
2026-05-07
AI Q&A
2025-06-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-4821
EUVD
EUVD-2025-18651
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cloudflare quiche to 0.24.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-4821 is a vulnerability in the Cloudflare quiche Rust library where the congestion window growth is incorrectly handled. An unauthenticated remote attacker can exploit this by completing a handshake and starting a congestion-controlled data transfer to themselves, then sending ACK frames that acknowledge a large range of packet numbers, including packets never sent. This causes the victim's congestion control to increase the congestion window beyond normal limits, allowing more data to be sent than the network path can support. In extreme cases, this can cause an overflow panic due to the congestion window exceeding internal variable limits. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by causing your system to send data at a rate faster than the network path can support, potentially leading to network congestion or instability. In extreme cases, it may cause an overflow panic in the affected software, which could result in crashes or denial of service conditions. Since the attacker is unauthenticated and requires no user interaction, the risk of exploitation is significant. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring QUIC traffic for abnormal congestion window growth or unusual ACK frames acknowledging large ranges of packet numbers, including those never sent. Network analysis tools that can inspect QUIC protocol behavior might help identify such anomalies. However, no specific detection commands or tools are provided in the available resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Cloudflare quiche Rust library to version 0.24.4 or later, which contains the fix for this vulnerability. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart