EUVD-2025-21179

| CVE-2025-30403 HIGH
2025-07-11 [email protected]
8.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 08:18 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 08:18 euvd
EUVD-2025-21179
CVE Published
Jul 11, 2025 - 19:15 nvd
HIGH 8.1

Tags

Buffer Overflow Heap Overflow Denial Of Service

Description

A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.

Analysis

CVE-2025-30403 is a heap buffer overflow vulnerability in Meta's mvfst QUIC implementation that allows remote attackers without privileges to trigger memory corruption and cause denial of service or potentially read sensitive data from heap memory. The vulnerability affects mvfst versions prior to v2025.07.07.00 and requires user interaction (opening a malicious QUIC connection), with a high CVSS score of 8.1 reflecting the severity of memory safety issues, though KEV status and EPSS probability data are not currently available in public disclosures.

Technical Context

mvfst is Meta's implementation of the QUIC protocol (RFC 9000), a modern transport layer protocol designed as a successor to TCP. The vulnerability exists in QUIC message processing logic where specially crafted message payloads fail proper bounds checking before writing to heap-allocated buffers. This is a classic CWE-122 (Heap-based Buffer Overflow) vulnerability, where insufficient input validation combined with unsafe memory operations allows an attacker to write beyond allocated buffer boundaries. The QUIC protocol's variable-length encoding and optional field structures create complexity in parsing that may have been inadequately validated. CPE identification would be: cpe:2.3:a:meta:mvfst:*:*:*:*:*:*:*:* (versions <2025.07.07.00).

Affected Products

mvfst (All versions prior to v2025.07.07.00)

Remediation

Upgrade mvfst to version v2025.07.07.00 or later; priority: Critical; details: Meta has released a patched version addressing the heap buffer overflow in QUIC message parsing. Organizations using mvfst should prioritize updating to or beyond v2025.07.07.00. Workaround: Restrict QUIC endpoint access; priority: High; details: If immediate patching is not possible, implement network-level controls to restrict connections from untrusted sources to QUIC endpoints. Use firewalls or reverse proxies to validate connection sources. Monitoring: Monitor for exploitation indicators; priority: High; details: Enable logging and monitoring for abnormal QUIC connection attempts, malformed messages, or crash logs in applications using mvfst. Watch for heap corruption signatures or unexpected process terminations. Mitigation: Deploy address space layout randomization (ASLR); priority: Medium; details: Ensure ASLR is enabled on systems running mvfst to complicate heap exploitation attempts, though this does not prevent DoS.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +40
POC: 0

Share

EUVD-2025-21179 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy