CVE-2025-61684
Unknown Unknown - Not Provided
Denial-of-Service in Quicly via Remote Assertion Failure

Publication date: 2026-01-19

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61684
EUVD
EUVD-2025-206302
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
h2o quicly to 2026-01-18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability causes a denial-of-service (DoS) by crashing the quicly process, impacting availability but not confidentiality or integrity. While availability is a component of many compliance standards, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other regulations. Therefore, the effect on compliance cannot be determined from the provided resources. [1]

Executive Summary

CVE-2025-61684 is a vulnerability in the quicly package, an implementation of the IETF QUIC protocol. It involves assertion failures caused by improper handling of invalid QUIC frames. A remote attacker can exploit this flaw to crash the quicly process, resulting in a denial-of-service (DoS) attack. This crash affects all active QUIC connections managed by the process, disrupting service availability. The vulnerability requires no privileges or user interaction and has a low attack complexity. [1]

Impact Analysis

This vulnerability can cause the quicly process to crash remotely, leading to a denial-of-service condition. If your system uses quicly to manage multiple QUIC connections within a single process, all those connections will be disrupted when the process crashes. This results in loss of availability of the affected service, potentially causing downtime or degraded user experience. [1]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or assertion failures in the quicly process, especially when handling QUIC frames. Since the issue involves improper handling of invalid QUIC frames leading to process crashes, checking system logs for quicly crashes or abnormal terminations can help detect exploitation attempts. However, no specific detection commands or signatures are provided in the available resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the quicly package to include the fix introduced in commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e or later. This commit addresses the assertion failure issue and prevents the denial-of-service attack. Until the update is applied, monitoring and restricting network access to the vulnerable quicly service may reduce exposure. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart