Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-apqf-t7ew-5fgw
Summary
quic-go HTTP/3 QPACK Header Expansion DoS
## Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an `http.Header` (used on the `http.Request` and `http.Response`, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

## Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

## Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

`http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes`, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

## The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).
Aliases
0
alias CVE-2025-64702
1
alias GHSA-g754-hx8w-x2g6
Fixed_packages
0
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.46.0-2~bpo12%2B1
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.46.0-2~bpo12%2B1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.46.0-2~bpo12%252B1
1
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-1?distro=trixie
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-1%3Fdistro=trixie
2
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-2?distro=trixie
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-2%3Fdistro=trixie
3
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-2
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.59.0-2
4
url pkg:golang/github.com/quic-go/quic-go@0.57.0
purl pkg:golang/github.com/quic-go/quic-go@0.57.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:golang/github.com/quic-go/quic-go@0.57.0
Affected_packages
0
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1?distro=trixie
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-18gf-znwv-aubu
1
vulnerability VCID-3vjt-1se3-rbhc
2
vulnerability VCID-apqf-t7ew-5fgw
3
vulnerability VCID-qatc-a78d-8ufh
4
vulnerability VCID-tw5q-cn78-vyda
5
vulnerability VCID-u6kw-zxc9-q7gg
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1%3Fdistro=trixie
1
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-18gf-znwv-aubu
1
vulnerability VCID-3vjt-1se3-rbhc
2
vulnerability VCID-apqf-t7ew-5fgw
3
vulnerability VCID-qatc-a78d-8ufh
4
vulnerability VCID-tw5q-cn78-vyda
5
vulnerability VCID-u6kw-zxc9-q7gg
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1
2
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.29.0-1?distro=trixie
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.29.0-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-18gf-znwv-aubu
1
vulnerability VCID-3vjt-1se3-rbhc
2
vulnerability VCID-apqf-t7ew-5fgw
3
vulnerability VCID-qatc-a78d-8ufh
4
vulnerability VCID-tw5q-cn78-vyda
5
vulnerability VCID-u6kw-zxc9-q7gg
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.29.0-1%3Fdistro=trixie
3
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.29.0-1
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.29.0-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-18gf-znwv-aubu
1
vulnerability VCID-3vjt-1se3-rbhc
2
vulnerability VCID-apqf-t7ew-5fgw
3
vulnerability VCID-qatc-a78d-8ufh
4
vulnerability VCID-tw5q-cn78-vyda
5
vulnerability VCID-u6kw-zxc9-q7gg
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.29.0-1
4
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.50.1-2
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.50.1-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apqf-t7ew-5fgw
1
vulnerability VCID-qatc-a78d-8ufh
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.50.1-2
5
url pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.50.1-2?distro=trixie
purl pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.50.1-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apqf-t7ew-5fgw
1
vulnerability VCID-qatc-a78d-8ufh
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.50.1-2%3Fdistro=trixie
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64702.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64702.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-64702
reference_id
reference_type
scores
0
value 0.00061
scoring_system epss
scoring_elements 0.19261
published_at 2026-04-11T12:55:00Z
1
value 0.00061
scoring_system epss
scoring_elements 0.19255
published_at 2026-04-09T12:55:00Z
2
value 0.00061
scoring_system epss
scoring_elements 0.19203
published_at 2026-04-08T12:55:00Z
3
value 0.00061
scoring_system epss
scoring_elements 0.19123
published_at 2026-04-07T12:55:00Z
4
value 0.00061
scoring_system epss
scoring_elements 0.19407
published_at 2026-04-04T12:55:00Z
5
value 0.00061
scoring_system epss
scoring_elements 0.19356
published_at 2026-04-02T12:55:00Z
6
value 0.00079
scoring_system epss
scoring_elements 0.23257
published_at 2026-04-29T12:55:00Z
7
value 0.00079
scoring_system epss
scoring_elements 0.23532
published_at 2026-04-12T12:55:00Z
8
value 0.00079
scoring_system epss
scoring_elements 0.23478
published_at 2026-04-13T12:55:00Z
9
value 0.00079
scoring_system epss
scoring_elements 0.23491
published_at 2026-04-16T12:55:00Z
10
value 0.00079
scoring_system epss
scoring_elements 0.23483
published_at 2026-04-18T12:55:00Z
11
value 0.00079
scoring_system epss
scoring_elements 0.23464
published_at 2026-04-21T12:55:00Z
12
value 0.00079
scoring_system epss
scoring_elements 0.2328
published_at 2026-04-24T12:55:00Z
13
value 0.00079
scoring_system epss
scoring_elements 0.23269
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-64702
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64702
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64702
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/quic-go/quic-go
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/quic-go/quic-go
5
reference_url https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-12T20:44:44Z/
url https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8
6
reference_url https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-12T20:44:44Z/
url https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-64702
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-64702
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122814
reference_id 1122814
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122814
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2421635
reference_id 2421635
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2421635
Weaknesses
0
cwe_id 770
name Allocation of Resources Without Limits or Throttling
description The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-apqf-t7ew-5fgw