CVE-2025-6703
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-12-03
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | neqo | From 0.4.24 (inc) to 0.13.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo | |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6703 is a vulnerability in the Neqo QUIC implementation where the software improperly handles flow control limits. Specifically, Neqo sets a very large limit for MAX_DATA, and a remote attacker can exploit this by sending a DATA_BLOCKED frame after consuming bytes on the connection. This causes Neqo to attempt to send a MAX_DATA frame with a value exceeding the maximum allowed QUIC varint, leading to a panic in the Rust code that crashes the socket thread and the main process. [1]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) condition by crashing the Neqo process handling QUIC connections. While it does not impact confidentiality or integrity, it can cause low availability impact by terminating the process unexpectedly, potentially disrupting services relying on Neqo. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability does not impact confidentiality or integrity of data, only availability through a denial-of-service condition. Therefore, it has minimal or no direct effect on compliance with standards like GDPR or HIPAA that primarily focus on data protection and privacy. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the Neqo process, especially related to QUIC connection flow control. Network detection could involve capturing QUIC traffic and identifying DATA_BLOCKED frames with unusually large MAX_DATA values exceeding the QUIC varint maximum (2^62 - 1). However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Neqo to version 0.13.3 or later, where this vulnerability has been patched. Avoid running vulnerable versions (0.4.24 through 0.13.2) in exposed environments until patched. [1]