2421635 – (CVE-2025-64702) CVE-2025-64702 github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS

Bug 2421635 (CVE-2025-64702) - CVE-2025-64702 github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS

Summary: CVE-2025-64702 github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header ...

Keywords:
Status:	NEW
Alias:	CVE-2025-64702
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2423094 2423095 2423096 2423097 2423098 2423099 2423100
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-11 22:03 UTC by OSIDB Bzimport
Modified:	2025-12-17 08:23 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-11 22:03:29 UTC

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

Note You need to log in before you can comment on or make changes to this bug.