cve-2025-29785
Vulnerability from cvelistv5
Published
2025-06-02 10:44
Modified
2025-06-02 12:01
Severity ?
EPSS score ?
Summary
quic-go Has Panic in Path Probe Loss Recovery Handling
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-29785",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T12:00:53.410884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T12:01:18.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "quic-go",
"vendor": "quic-go",
"versions": [
{
"status": "affected",
"version": "= 0.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248: Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T10:44:18.817Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/quic-go/quic-go/security/advisories/GHSA-j972-j939-p2v3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/quic-go/quic-go/security/advisories/GHSA-j972-j939-p2v3"
},
{
"name": "https://github.com/quic-go/quic-go/issues/4981",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/quic-go/quic-go/issues/4981"
},
{
"name": "https://github.com/quic-go/quic-go/commit/b90058aba5f65f48e0e150c89bbaa21a72dda4de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/quic-go/quic-go/commit/b90058aba5f65f48e0e150c89bbaa21a72dda4de"
}
],
"source": {
"advisory": "GHSA-j972-j939-p2v3",
"discovery": "UNKNOWN"
},
"title": "quic-go Has Panic in Path Probe Loss Recovery Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-29785",
"datePublished": "2025-06-02T10:44:18.817Z",
"dateReserved": "2025-03-11T14:23:00.475Z",
"dateUpdated": "2025-06-02T12:01:18.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-29785\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-02T11:15:21.953\",\"lastModified\":\"2025-06-02T17:32:17.397\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"quic-go es una implementaci\u00f3n del protocolo QUIC en Go. La l\u00f3gica de recuperaci\u00f3n de p\u00e9rdidas para paquetes de sondeo de ruta, a\u00f1adida en la versi\u00f3n v0.50.0, puede utilizarse para que un cliente QUIC malicioso active una desreferencia de puntero nulo. Para ello, el atacante primero env\u00eda paquetes QUIC v\u00e1lidos desde diferentes direcciones remotas (activando as\u00ed la nueva l\u00f3gica de validaci\u00f3n de ruta: el servidor env\u00eda paquetes de sondeo de ruta) y, a continuaci\u00f3n, env\u00eda ACKs para los paquetes recibidos del servidor, dise\u00f1ados espec\u00edficamente para activar la desreferencia de puntero nulo. La versi\u00f3n v0.50.1 incluye un parche que corrige la vulnerabilidad. Esta versi\u00f3n incluye una prueba que genera secuencias aleatorias de paquetes enviados (tanto paquetes normales como de sondeo de ruta), que se utiliz\u00f3 para verificar que el parche cubre todos los casos excepcionales. No se conocen workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"}]}],\"references\":[{\"url\":\"https://github.com/quic-go/quic-go/commit/b90058aba5f65f48e0e150c89bbaa21a72dda4de\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quic-go/quic-go/issues/4981\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quic-go/quic-go/security/advisories/GHSA-j972-j939-p2v3\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.