CVE-2025-64702
BaseFortify
Publication date: 2025-12-11
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quic-go_project | quic-go | to 0.57.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in quic-go (versions 0.56.0 and below) involves excessive memory allocation caused by the HTTP/3 client and server implementations processing a QPACK-encoded HEADERS frame. The frame can decode into a large header field section with many unique header names or large values. While the implementation limits the size of the compressed HEADERS frame, it does not limit the size of the decoded headers, which can lead to memory exhaustion.
How can this vulnerability impact me? :
The vulnerability can lead to memory exhaustion on systems running vulnerable versions of quic-go. This could cause denial of service or degraded performance due to excessive memory consumption when processing specially crafted HTTP/3 HEADERS frames.
What immediate steps should I take to mitigate this vulnerability?
Upgrade quic-go to version 0.57.0 or later, as this version contains the fix for the excessive memory allocation vulnerability caused by processing large QPACK-encoded HEADERS frames.