2403125 – (CVE-2025-59530) CVE-2025-59530 github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame

Bug 2403125 (CVE-2025-59530) - CVE-2025-59530 github.com/quic-go/quic-go: quic-go Crash Due to Premature HANDSHAKE_DONE Frame

Summary: CVE-2025-59530 github.com/quic-go/quic-go: quic-go Crash Due to Premature HAN...

Keywords:
Status:	NEW
Alias:	CVE-2025-59530
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-10 17:01 UTC by OSIDB Bzimport
Modified:	2025-12-10 17:40 UTC (History)
CC List:	55 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:21706	None	None	None	2025-11-18 16:43:16 UTC
Red Hat Product Errata	RHSA-2025:21768	None	None	None	2025-11-19 15:44:50 UTC
Red Hat Product Errata	RHSA-2025:23069	None	None	None	2025-12-10 17:40:28 UTC

Description OSIDB Bzimport 2025-10-10 17:01:40 UTC

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.

Comment 3 errata-xmlrpc 2025-11-18 16:43:12 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2025:21706 https://access.redhat.com/errata/RHSA-2025:21706

Comment 4 errata-xmlrpc 2025-11-19 15:44:46 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:21768 https://access.redhat.com/errata/RHSA-2025:21768

Comment 5 errata-xmlrpc 2025-12-10 17:40:23 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:23069 https://access.redhat.com/errata/RHSA-2025:23069

Note You need to log in before you can comment on or make changes to this bug.

aarif
abuckta
adudiak
alcohan
aprice
bdettelb
carogers
caswilli
cmah
crizzo
dkuc
doconnor
erezende
gparvin
gtanzill
haoli
hkataria
jajackso
jbalunas
jbuscemi
jcammara
jdobes
jmitchel
jneedle
jsamir
jsherril
jvasik
kaycoth
kegrant
kgaikwad
koliveir
kshier
mabashia
mpierce
oezr
orabin
owatkins
pahickey
pbraun
psegedy
rblanco
rhaigner
rochandr
sdawley
shvarugh
simaishi
smcdonal
stcannon
sthirugn
teagle
tfister
thavo
vkrizan
vmugicag
yguenane