EUVD-2025-16643

| CVE-2025-29785 HIGH
2025-06-02 [email protected] GHSA-j972-j939-p2v3
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 16:47 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 16:47 euvd
EUVD-2025-16643
CVE Published
Jun 02, 2025 - 11:15 nvd
HIGH 7.5

Tags

Golang Denial Of Service Null Pointer Dereference Redhat Suse

Description

quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. No known workarounds are available.

Analysis

Nil-pointer dereference vulnerability in quic-go's path probe loss recovery logic introduced in v0.50.0 that allows unauthenticated remote attackers to crash QUIC servers. A malicious client can trigger a denial-of-service by sending valid QUIC packets from multiple addresses to initiate path validation, then crafting specific ACKs to dereference a null pointer. The vulnerability affects quic-go versions from v0.50.0 through v0.50.0 (patched in v0.50.1), with a CVSS score of 7.5 and high availability impact but no known active exploitation or public POC at time of disclosure.

Technical Context

quic-go (cpe:pkg:golang:quic-go) is a pure Go implementation of the QUIC transport protocol (RFC 9000). The vulnerability resides in the loss recovery subsystem added during the v0.50.0 release, specifically in code handling path probe packet acknowledgment and retransmission logic. Path probing is a legitimate QUIC mechanism for validating alternative network paths during connection migration. The root cause is CWE-248 (Uncaught Exception / Unhandled Condition), manifesting as improper null pointer validation before dereferencing an object in the path probe tracking state machine. When a server receives crafted ACKs that reference path probe packets in an unexpected sequence or state, the loss recovery logic attempts to access packet metadata without verifying its existence, causing an unhandled nil dereference that crashes the Go runtime.

Affected Products

quic-go versions v0.50.0 (all minor/patch variants) and potentially earlier versions if backported with the vulnerable path probe code. Specifically affects: (1) quic-go module (go.openssl.org/quic-go or github.com/quic-go/quic-go depending on import path); (2) Any application or service embedding quic-go v0.50.0 for QUIC protocol support, including proxies, load balancers, VPN clients/servers, and specialized networking applications written in Go. Note: v0.50.1 and later versions contain the patch. Applications must verify their direct and transitive dependencies; Go module scanning tools should flag quic-go 0.50.0 in go.mod or go.sum files.

Remediation

(1) Immediate: Update quic-go to v0.50.1 or later (patch released alongside CVE disclosure); (2) Dependency update: Execute 'go get -u github.com/quic-go/[email protected]' and rebuild affected applications; (3) Verification: Confirm patch via 'go list -m all | grep quic-go' returns v0.50.1+; (4) Testing: The v0.50.1 release includes a randomized test suite covering path probe corner cases—run this locally to validate patch correctness; (5) Workarounds: No known workarounds exist before patching; temporary mitigation could include rate-limiting path probe ACK processing or disabling QUIC path validation at the application level (not recommended, reduces protocol compliance); (6) Vendor advisory: Monitor quic-go GitHub releases (github.com/quic-go/quic-go/releases) for official patch documentation and coordinated disclosure timeline.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
golang-github-lucas-clemente-quic-go
Release Status Version
focal DNE -
jammy needs-triage -
noble needs-triage -
upstream released 0.50.1-1
oracular ignored end of life, was needs-triage
questing not-affected 0.50.1-2
plucky ignored end of life, was needs-triage

Debian

golang-github-lucas-clemente-quic-go
Release Status Fixed Version Urgency
bullseye vulnerable 0.19.3-1 -
bookworm vulnerable 0.29.0-1 -
trixie fixed 0.50.1-2 -
forky, sid fixed 0.59.0-2 -
(unstable) fixed 0.50.1-1 -

Share

EUVD-2025-16643 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy