Fluid Attacks Database

Description

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-github-lucas-clemente-quic-go	=0.19.3-1 \|\| =0.24.0-1 \|\| =0.25.0-1 \|\| =0.26.0-1 \|\| =0.26.0-1~bpo11+1 \|\| =0.29.0-1 \|\| =0.29.0-1~bpo11+1 \|\| =0.29.0-1~bpo11+2 \|\| =0.29.2-1 \|\| =0.29.2-2 \|\| =0.29.2-3 \|\| =0.37.0-1 \|\| =0.37.4-1 \|\| =0.37.4-1~bpo12+1 \|\| =0.38.2-1 \|\| =0.38.2-2 \|\| =0.46.0-1 \|\| =0.46.0-2 \|\| =0.46.0-2~bpo12+1 \|\| =0.50.0-1 \|\| =0.50.1-1 \|\| =0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 14	golang-github-lucas-clemente-quic-go	=0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| >=0 <0.59.0-1	0.59.0-1
debian 12	golang-github-lucas-clemente-quic-go	=0.29.0-1 \|\| =0.29.2-1 \|\| =0.29.2-2 \|\| =0.29.2-3 \|\| =0.37.0-1 \|\| =0.37.4-1 \|\| =0.37.4-1~bpo12+1 \|\| =0.38.2-1 \|\| =0.38.2-2 \|\| =0.46.0-1 \|\| =0.46.0-2 \|\| =0.46.0-2~bpo12+1 \|\| =0.50.0-1 \|\| =0.50.1-1 \|\| =0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
debian 13	golang-github-lucas-clemente-quic-go	=0.50.1-2 \|\| =0.54.0-1 \|\| =0.54.0-2 \|\| =0.54.0-3 \|\| =0.54.1-1 \|\| =0.55.0-1 \|\| =0.59.0-1 \|\| =0.59.0-2	-
go	github.com/quic-go/quic-go	>=0 <0.57.0	0.57.0

Aliases

1. CVE-2025-647022. NVD-2025-647023. OSV-DEBIAN-2025-647024. OSV-2025-647025. GHSA-g754-hx8w-x2g66. GCVE-2025-647027. SECURITY-TRACKER-CVE-2025-64702

References

1. https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g62. https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8