CVE-2025-59530
BaseFortify
Publication date: 2025-10-10
Last updated on: 2025-10-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quic-go | quic-go | 0.55.0 |
| quic-go | quic-go | 0.49.1 |
| quic-go | quic-go | 0.54.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CWE-755 | The product does not handle or incorrectly handles an exceptional condition. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59530 is a vulnerability in the quic-go library where a malicious or misbehaving QUIC server can cause the quic-go client to crash by sending a premature HANDSHAKE_DONE frame during the TLS handshake. This triggers an assertion failure in the client because the client expects the Initial encryption keys to be discarded before the Handshake keys, but the premature frame causes the Handshake keys to be discarded first, violating the expected key lifecycle. This leads to a denial-of-service (DoS) attack without requiring authentication or user interaction. [3]
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service (DoS) attack on the quic-go client by crashing the process. An attacker controlling a malicious QUIC server can exploit this by sending a premature HANDSHAKE_DONE frame, causing the client to panic and crash during the handshake phase. This impacts availability but does not affect confidentiality or integrity. No privileges or user interaction are required to exploit this vulnerability. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a denial-of-service (DoS) attack causing the quic-go client process to crash due to an assertion failure triggered by a premature HANDSHAKE_DONE frame from a misbehaving or malicious QUIC server during the handshake phase. Detection can involve monitoring quic-go client logs for assertion failures or crashes related to handshake processing. Network detection could include capturing and analyzing QUIC handshake packets to identify premature HANDSHAKE_DONE frames sent by servers. Specific commands are not provided in the resources, but using packet capture tools like tcpdump or Wireshark to filter QUIC handshake traffic and inspecting for early HANDSHAKE_DONE frames may help. Additionally, monitoring application logs for client crashes or panics during QUIC connections is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the quic-go client library to a patched version that addresses this vulnerability. Specifically, upgrade to version 0.49.1, 0.54.1, 0.55.0, or later, where the handling of initial encryption keys during the QUIC handshake has been fixed to discard initial keys upon receiving a HANDSHAKE_DONE frame, preventing the assertion failure and client crash. This upgrade ensures the client can gracefully handle premature HANDSHAKE_DONE frames from misbehaving servers. No other mitigation steps or workarounds are detailed in the resources. [2, 3]