cvedb.io
CVE-2025-64702
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2025-12-11T21:15:54.707 · Last modified 2026-06-17T09:55:04.027

Summary

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. This issue is fixed in version 0.57.0.

Affected products

quic-go_project — quic-go

Does this affect you?

Add your gear to cvedb and we'll alert you only when quic-go_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.