{"id":"CVE-2025-59530","summary":"quic-go has Client Crash Due to Premature HANDSHAKE_DONE Frame","details":"quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.","aliases":["GHSA-47m2-4cr7-mhcw","GO-2025-4017"],"modified":"2026-03-20T12:45:20.923110Z","published":"2025-10-10T16:09:55.227Z","related":["CGA-8h2r-m9j3-fwcq","openSUSE-SU-2025:15710-1","openSUSE-SU-2025:15737-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-617","CWE-755"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59530.json"},"references":[{"type":"WEB","url":"https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59530.json"},{"type":"ADVISORY","url":"https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59530"},{"type":"FIX","url":"https://github.com/quic-go/quic-go/pull/5354"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/quic-go/quic-go","events":[{"introduced":"0"},{"fixed":"275c172fec2b4dae0eea5ac2052a28848b4363ea"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.49.1"}]}},{"type":"GIT","repo":"https://github.com/quic-go/quic-go","events":[{"introduced":"d51a4a1ba70df8c2d5c4522c071aaa225690a11d"},{"fixed":"0264fbc02e94a24370ff68005e02aa53f10add58"}],"database_specific":{"versions":[{"introduced":"0.5.0"},{"fixed":"0.54.1"}]}}],"versions":["v.0.21","v0.21.0","v0.21.1","v0.22.0","v0.23.0","v0.24.0","v0.25.0","v0.26.0","v0.27.0","v0.28.0","v0.28.1","v0.29.0","v0.30.0","v0.31.0","v0.31.1","v0.32.0","v0.33.0","v0.34.0","v0.35.0","v0.35.1","v0.36.0","v0.37.0","v0.37.1","v0.38.0","v0.38.1","v0.39.0","v0.4","v0.40.0","v0.41.0","v0.42.0","v0.43.0","v0.44.0","v0.45.0","v0.46.0","v0.47.0","v0.48.0","v0.48.1","v0.49.0","v0.5.0","v0.50.0","v0.51.0","v0.52.0","v0.53.0","v0.54.0","v0.6.0","v0.7.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-59530.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}