CVE-2025-59530
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59530
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
quic-go quic-go 0.55.0
quic-go quic-go 0.49.1
quic-go quic-go 0.54.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
CWE-755 The product does not handle or incorrectly handles an exceptional condition.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59530 is a vulnerability in the quic-go library where a malicious or misbehaving QUIC server can cause the quic-go client to crash by sending a premature HANDSHAKE_DONE frame during the TLS handshake. This triggers an assertion failure in the client because the client expects the Initial encryption keys to be discarded before the Handshake keys, but the premature frame causes the Handshake keys to be discarded first, violating the expected key lifecycle. This leads to a denial-of-service (DoS) attack without requiring authentication or user interaction. [3]

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) attack on the quic-go client by crashing the process. An attacker controlling a malicious QUIC server can exploit this by sending a premature HANDSHAKE_DONE frame, causing the client to panic and crash during the handshake phase. This impacts availability but does not affect confidentiality or integrity. No privileges or user interaction are required to exploit this vulnerability. [3]

Detection Guidance

This vulnerability manifests as a denial-of-service (DoS) attack causing the quic-go client process to crash due to an assertion failure triggered by a premature HANDSHAKE_DONE frame from a misbehaving or malicious QUIC server during the handshake phase. Detection can involve monitoring quic-go client logs for assertion failures or crashes related to handshake processing. Network detection could include capturing and analyzing QUIC handshake packets to identify premature HANDSHAKE_DONE frames sent by servers. Specific commands are not provided in the resources, but using packet capture tools like tcpdump or Wireshark to filter QUIC handshake traffic and inspecting for early HANDSHAKE_DONE frames may help. Additionally, monitoring application logs for client crashes or panics during QUIC connections is recommended. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the quic-go client library to a patched version that addresses this vulnerability. Specifically, upgrade to version 0.49.1, 0.54.1, 0.55.0, or later, where the handling of initial encryption keys during the QUIC handshake has been fixed to discard initial keys upon receiving a HANDSHAKE_DONE frame, preventing the assertion failure and client crash. This upgrade ensures the client can gracefully handle premature HANDSHAKE_DONE frames from misbehaving servers. No other mitigation steps or workarounds are detailed in the resources. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59530. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart