CVE-2025-61684
Denial-of-Service in Quicly via Remote Assertion Failure
Publication date: 2026-01-19
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| h2o | quicly | to 2026-01-18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial-of-service (DoS) by crashing the quicly process, impacting availability but not confidentiality or integrity. While availability is a component of many compliance standards, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other regulations. Therefore, the effect on compliance cannot be determined from the provided resources. [1]
Can you explain this vulnerability to me?
CVE-2025-61684 is a vulnerability in the quicly package, an implementation of the IETF QUIC protocol. It involves assertion failures caused by improper handling of invalid QUIC frames. A remote attacker can exploit this flaw to crash the quicly process, resulting in a denial-of-service (DoS) attack. This crash affects all active QUIC connections managed by the process, disrupting service availability. The vulnerability requires no privileges or user interaction and has a low attack complexity. [1]
How can this vulnerability impact me? :
This vulnerability can cause the quicly process to crash remotely, leading to a denial-of-service condition. If your system uses quicly to manage multiple QUIC connections within a single process, all those connections will be disrupted when the process crashes. This results in loss of availability of the affected service, potentially causing downtime or degraded user experience. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or assertion failures in the quicly process, especially when handling QUIC frames. Since the issue involves improper handling of invalid QUIC frames leading to process crashes, checking system logs for quicly crashes or abnormal terminations can help detect exploitation attempts. However, no specific detection commands or signatures are provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the quicly package to include the fix introduced in commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e or later. This commit addresses the assertion failure issue and prevents the denial-of-service attack. Until the update is applied, monitoring and restricting network access to the vulnerable quicly service may reduce exposure. [1, 2]