CVE-2025-59530: quic-go: Panic occurs when queuing undecryptable packets after handshake completion
A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake.
References
- github.com/advisories/GHSA-47m2-4cr7-mhcw
- github.com/quic-go/quic-go
- github.com/quic-go/quic-go/blob/v0.55.0/connection.go
- github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c
- github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42
- github.com/quic-go/quic-go/pull/5354
- github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw
- nvd.nist.gov/vuln/detail/CVE-2025-59530
Code Behaviors & Features
Detect and mitigate CVE-2025-59530 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →