CVE-2025-29785: quic-go Has Panic in Path Probe Loss Recovery Handling

June 3, 2025 (updated June 4, 2025)

The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client.

In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference.

References

github.com/advisories/GHSA-j972-j939-p2v3
github.com/quic-go/quic-go
github.com/quic-go/quic-go/commit/b90058aba5f65f48e0e150c89bbaa21a72dda4de
github.com/quic-go/quic-go/issues/4981
github.com/quic-go/quic-go/security/advisories/GHSA-j972-j939-p2v3
nvd.nist.gov/vuln/detail/CVE-2025-29785

Code Behaviors & Features

Detect and mitigate CVE-2025-29785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →