{"id":"AZL-68778","summary":"CVE-2025-59530 affecting package coredns for versions less than 1.11.4-11","details":"quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.","modified":"2026-04-01T05:21:28.736204Z","published":"2025-10-10T16:15:52Z","upstream":["CVE-2025-59530"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59530"}],"affected":[{"package":{"name":"coredns","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/coredns"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.11.4-11"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-68778.json"}}],"schema_version":"1.7.5"}