Bug 2403125 (CVE-2025-59530)

Summary: CVE-2025-59530 github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, abuckta, adudiak, alcohan, aprice, bdettelb, carogers, caswilli, cmah, crizzo, dkuc, doconnor, erezende, gparvin, gtanzill, haoli, hkataria, jajackso, jbalunas, jbuscemi, jcammara, jdobes, jmitchel, jneedle, jsamir, jsherril, jvasik, kaycoth, kegrant, kgaikwad, koliveir, kshier, mabashia, mpierce, oezr, orabin, owatkins, pahickey, pbraun, psegedy, rblanco, rhaigner, rochandr, sdawley, shvarugh, simaishi, smcdonal, stcannon, sthirugn, teagle, tfister, thavo, vkrizan, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A denial of service flaw has been discovered in the quic-go golang library. A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-10 17:01:40 UTC 
quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.
Comment 3 errata-xmlrpc 2025-11-18 16:43:12 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:21706 https://access.redhat.com/errata/RHSA-2025:21706
Comment 4 errata-xmlrpc 2025-11-19 15:44:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:21768 https://access.redhat.com/errata/RHSA-2025:21768
Comment 5 errata-xmlrpc 2025-12-10 17:40:23 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23069