What is the CVSS score of CVE-2025-29785?

CVE-2025-29785 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Golang are affected by CVE-2025-29785?

A high-severity vulnerability in quic-go (CVE-2025-29785) allows remote attackers to crash services by sending specially crafted QUIC packets, potentially causing denial of service for any…. A patch is available.

How to fix or mitigate CVE-2025-29785?

Within 24 hours: Identify all services and applications using quic-go v0.50.0 and assess their criticality and internet exposure. Within 7 days: Upgrade to quic-go v0.50.1 or later across all development, staging, and production environments; prioritize internet-facing services. Within 30 days: Verify patches are deployed across all systems, conduct testing to confirm functionality, and document the update in your change management system.

Golang CVE-2025-29785

EUVD-2025-16643 HIGH

Uncaught Exception (CWE-248)

2025-06-02 security-advisories@github.com

GHSA-j972-j939-p2v3

Denial Of Service Null Pointer Dereference Golang Red Hat Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 16:47 euvd

EUVD-2025-16643

Analysis Generated

Mar 14, 2026 - 16:47 vuln.today

CVE Published

Jun 02, 2025 - 11:15 nvd

HIGH 7.5

DescriptionNVD

quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. No known workarounds are available.

AnalysisAI

Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.

Technical ContextAI

quic-go (cpe:pkg:golang:quic-go) is a pure Go implementation of the QUIC transport protocol (RFC 9000). The vulnerability resides in the loss recovery subsystem added during the v0.50.0 release, specifically in code handling path probe packet acknowledgment and retransmission logic. Path probing is a legitimate QUIC mechanism for validating alternative network paths during connection migration. The root cause is CWE-248 (Uncaught Exception / Unhandled Condition), manifesting as improper null pointer validation before dereferencing an object in the path probe tracking state machine. When a server receives crafted ACKs that reference path probe packets in an unexpected sequence or state, the loss recovery logic attempts to access packet metadata without verifying its existence, causing an unhandled nil dereference that crashes the Go runtime.

RemediationAI

(1) Immediate: Update quic-go to v0.50.1 or later (patch released alongside CVE disclosure); (2) Dependency update: Execute 'go get -u github.com/quic-go/quic-go@v0.50.1' and rebuild affected applications; (3) Verification: Confirm patch via 'go list -m all | grep quic-go' returns v0.50.1+; (4) Testing: The v0.50.1 release includes a randomized test suite covering path probe corner cases—run this locally to validate patch correctness; (5) Workarounds: No known workarounds exist before patching; temporary mitigation could include rate-limiting path probe ACK processing or disabling QUIC path validation at the application level (not recommended, reduces protocol compliance); (6) Vendor advisory: Monitor quic-go GitHub releases (github.com/quic-go/quic-go/releases) for official patch documentation and coordinated disclosure timeline.

More from same product – last 7 days

CVE-2026-9277 HIGH This Week

8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Ubuntu

Priority: Medium

golang-github-lucas-clemente-quic-go

Release	Status	Version
focal	DNE	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	released	0.50.1-1
oracular	ignored	end of life, was needs-triage
questing	not-affected	0.50.1-2
plucky	ignored	end of life, was needs-triage

Debian

golang-github-lucas-clemente-quic-go

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	0.19.3-1	-
bookworm	vulnerable	0.29.0-1	-
trixie	fixed	0.50.1-2	-
forky, sid	fixed	0.59.0-2	-
(unstable)	fixed	0.50.1-1	-

CVE-2025-29785 vulnerability details – vuln.today

Back

Golang CVE-2025-29785

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code