Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-s9za-jdcy-fkbc
Summary
quiche connection ID retirement can trigger an infinite loop
## Impact

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames.

QUIC connections possess a set of connection identifiers (IDs); see [Section 5.1 of RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000#section-5.1). Once the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers

An unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, [Section 19.16 of RFC 9000](https://datatracker.ietf.org/doc/html/rfc9000#section-19.16) requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself.  In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID  synchronization, leading to an infinite loop.

## Patches

quiche 0.24.5 is the earliest version containing the fix for the issue
Aliases
0
alias CVE-2025-7054
1
alias GHSA-m3hh-f9gh-74c2
Fixed_packages
0
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=armv7&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=armv7&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=armv7&distroversion=v3.22&reponame=community
1
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=loongarch64&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=loongarch64&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=loongarch64&distroversion=v3.22&reponame=community
2
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=x86&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=x86&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=x86&distroversion=v3.22&reponame=community
3
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=aarch64&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=aarch64&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=aarch64&distroversion=v3.22&reponame=community
4
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=armhf&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=armhf&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=armhf&distroversion=v3.22&reponame=community
5
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=ppc64le&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=ppc64le&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=ppc64le&distroversion=v3.22&reponame=community
6
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=riscv64&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=riscv64&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=riscv64&distroversion=v3.22&reponame=community
7
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=s390x&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=s390x&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=s390x&distroversion=v3.22&reponame=community
8
url pkg:apk/alpine/dnsdist@1.9.11-r0?arch=x86_64&distroversion=v3.22&reponame=community
purl pkg:apk/alpine/dnsdist@1.9.11-r0?arch=x86_64&distroversion=v3.22&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@1.9.11-r0%3Farch=x86_64&distroversion=v3.22&reponame=community
9
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=aarch64&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=aarch64&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=aarch64&distroversion=edge&reponame=community
10
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=ppc64le&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=ppc64le&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=ppc64le&distroversion=edge&reponame=community
11
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=x86&distroversion=v3.23&reponame=community
12
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armhf&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armhf&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=armhf&distroversion=edge&reponame=community
13
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armv7&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armv7&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=armv7&distroversion=edge&reponame=community
14
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=riscv64&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=riscv64&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=riscv64&distroversion=edge&reponame=community
15
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=s390x&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=s390x&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=s390x&distroversion=edge&reponame=community
16
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armhf&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armhf&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=armhf&distroversion=v3.23&reponame=community
17
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=ppc64le&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=ppc64le&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=ppc64le&distroversion=v3.23&reponame=community
18
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=s390x&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=s390x&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=s390x&distroversion=v3.23&reponame=community
19
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86_64&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86_64&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=x86_64&distroversion=v3.23&reponame=community
20
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=loongarch64&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=loongarch64&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=loongarch64&distroversion=edge&reponame=community
21
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=x86&distroversion=edge&reponame=community
22
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86_64&distroversion=edge&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=x86_64&distroversion=edge&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=x86_64&distroversion=edge&reponame=community
23
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=aarch64&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=aarch64&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=aarch64&distroversion=v3.23&reponame=community
24
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armv7&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=armv7&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=armv7&distroversion=v3.23&reponame=community
25
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=loongarch64&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=loongarch64&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=loongarch64&distroversion=v3.23&reponame=community
26
url pkg:apk/alpine/dnsdist@2.0.1-r0?arch=riscv64&distroversion=v3.23&reponame=community
purl pkg:apk/alpine/dnsdist@2.0.1-r0?arch=riscv64&distroversion=v3.23&reponame=community
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:apk/alpine/dnsdist@2.0.1-r0%3Farch=riscv64&distroversion=v3.23&reponame=community
27
url pkg:cargo/quiche@0.24.5
purl pkg:cargo/quiche@0.24.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:cargo/quiche@0.24.5
Affected_packages
0
url pkg:cargo/quiche@0.15.0
purl pkg:cargo/quiche@0.15.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-arws-exmk-fkdp
1
vulnerability VCID-s9za-jdcy-fkbc
resource_url http://public2.vulnerablecode.io/packages/pkg:cargo/quiche@0.15.0
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-7054
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.0913
published_at 2026-04-07T12:55:00Z
1
value 0.00032
scoring_system epss
scoring_elements 0.09156
published_at 2026-04-02T12:55:00Z
2
value 0.00032
scoring_system epss
scoring_elements 0.09242
published_at 2026-04-11T12:55:00Z
3
value 0.00032
scoring_system epss
scoring_elements 0.09206
published_at 2026-04-04T12:55:00Z
4
value 0.00032
scoring_system epss
scoring_elements 0.09239
published_at 2026-04-09T12:55:00Z
5
value 0.00032
scoring_system epss
scoring_elements 0.0921
published_at 2026-04-08T12:55:00Z
6
value 0.00035
scoring_system epss
scoring_elements 0.10358
published_at 2026-04-21T12:55:00Z
7
value 0.00035
scoring_system epss
scoring_elements 0.10227
published_at 2026-04-18T12:55:00Z
8
value 0.00035
scoring_system epss
scoring_elements 0.10255
published_at 2026-04-16T12:55:00Z
9
value 0.00035
scoring_system epss
scoring_elements 0.10384
published_at 2026-04-13T12:55:00Z
10
value 0.00035
scoring_system epss
scoring_elements 0.10406
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-7054
1
reference_url https://github.com/cloudflare/quiche
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cloudflare/quiche
2
reference_url https://github.com/cloudflare/quiche/security/advisories/GHSA-m3hh-f9gh-74c2
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-08-07T15:52:05Z/
url https://github.com/cloudflare/quiche/security/advisories/GHSA-m3hh-f9gh-74c2
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-7054
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-7054
4
reference_url https://github.com/advisories/GHSA-m3hh-f9gh-74c2
reference_id GHSA-m3hh-f9gh-74c2
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m3hh-f9gh-74c2
Weaknesses
0
cwe_id 835
name Loop with Unreachable Exit Condition ('Infinite Loop')
description The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-s9za-jdcy-fkbc