{"id":"GO-2025-4233","summary":"HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go","details":"HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go","aliases":["CVE-2025-64702","GHSA-g754-hx8w-x2g6"],"modified":"2026-02-04T03:42:03.713204Z","published":"2025-12-15T20:37:41Z","related":["CGA-p2hw-6g52-wqg3"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2025-4233"},"references":[{"type":"ADVISORY","url":"https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6"},{"type":"FIX","url":"https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8"}],"affected":[{"package":{"name":"github.com/quic-go/quic-go","ecosystem":"Go","purl":"pkg:golang/github.com/quic-go/quic-go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.57.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/quic-go/quic-go/http3","symbols":["ClientConn.OpenRequestStream","ClientConn.RoundTrip","ConfigureTLSConfig","Conn.OpenStream","Conn.OpenStreamSync","Conn.OpenUniStream","Conn.OpenUniStreamSync","Conn.decodeTrailers","ErrCode.String","Error.Error","ListenAndServeQUIC","ListenAndServeTLS","ParseCapsule","RequestStream.CancelRead","RequestStream.CancelWrite","RequestStream.Close","RequestStream.Read","RequestStream.ReadResponse","RequestStream.SendRequestHeader","RequestStream.Write","Server.Close","Server.ListenAndServe","Server.ListenAndServeTLS","Server.Serve","Server.ServeListener","Server.ServeQUICConn","Server.Shutdown","Server.handleRequest","Server.maxHeaderBytes","Stream.Read","Stream.Write","Transport.Close","Transport.CloseIdleConnections","Transport.NewClientConn","Transport.RoundTrip","Transport.RoundTripOpt","body.Close","body.Read","cancelingReader.Read","countingByteReader.Read","countingByteReader.ReadByte","errConnUnusable.Error","exactReader.Read","frameParser.ParseNext","gzipReader.Close","gzipReader.Read","hijackableBody.Close","hijackableBody.Read","parseHeaders","requestFromHeaders","requestWriter.WriteRequestHeader","responseWriter.Flush","responseWriter.FlushError","responseWriter.HTTPStream","responseWriter.Write","responseWriter.WriteHeader","roundTripperWithCount.Close","stateTrackingStream.CancelRead","stateTrackingStream.CancelWrite","stateTrackingStream.Close","stateTrackingStream.Read","stateTrackingStream.Write","tracingReader.Read","updateResponseFromHeaders"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-4233.json"}}],"schema_version":"1.7.3"}