CVE-2025-61684

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-61684

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61684.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-61684

Aliases

GHSA-wr3c-345m-43v9

Published

2026-01-19T15:18:11.398Z

Modified

2026-01-28T05:51:21.858343Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Quicly has assertion failures

Details

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61684.json"
}

References

Affected packages

Git / github.com/h2o/quicly

Affected ranges

Type: GIT
Repo: https://github.com/h2o/quicly
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d9d3df6a8530a102b57d840e39b0311ce5c9e14e

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61684.json"

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1435.0,
            "function_hash": "330447917234780715116884208818365419057"
        },
        "signature_type": "Function",
        "id": "CVE-2025-61684-2d5cd368",
        "source": "https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e",
        "target": {
            "function": "test_downstream",
            "file": "t/lossy.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "29778764246675025856098287081834208603",
                "100556119729017067749899313415801560323",
                "309327536604343248030770973674050488051",
                "54418473788405938332397646685727076168",
                "171735076972988658971545600294582869474",
                "33795088715017983417874223491481568343",
                "231906130147037159758969149546923583390",
                "308686423491702292545260722868580531111",
                "241648440781633153404342609770655118268",
                "105622321042226638393878150047624306823",
                "155273014357286839408684094503056897596",
                "288173772266509228024676830257721562994",
                "31299942521313456959458018990298007684",
                "314754947702479338109659742408044644131",
                "62085115535628162648245723803311997085",
                "58890052678731420123464246477292725518",
                "214521790195536418809799172346847870416",
                "114806600391115879909008303043282378963"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "id": "CVE-2025-61684-4db8ab0c",
        "source": "https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e",
        "target": {
            "file": "t/lossy.c"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1688.0,
            "function_hash": "170338641696832950255584837203458839758"
        },
        "signature_type": "Function",
        "id": "CVE-2025-61684-7e6b68fb",
        "source": "https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e",
        "target": {
            "function": "test_bidirectional",
            "file": "t/lossy.c"
        }
    }
]