CVE-2025-64702

NameCVE-2025-64702
Descriptionquic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1122814

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-lucas-clemente-quic-go (PTS)bullseye0.19.3-1vulnerable
bookworm0.29.0-1vulnerable
trixie0.50.1-2vulnerable
forky, sid0.55.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-lucas-clemente-quic-gosource(unstable)(unfixed)1122814

Notes

[trixie] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
[bookworm] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6
Fixed by: https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8 (v0.57.0)
Search for package or bug name: Reporting problems