CVE-2025-61684
Published: 19 January 2026
Summary
CVE-2025-61684 is a high-severity Improper Input Validation (CWE-20) vulnerability in H2O Quicly. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
CVE-2025-61684 is a denial-of-service vulnerability in Quicly, an open-source implementation of the IETF QUIC protocol. Versions of Quicly prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e contain flaws that allow a remote attacker to trigger an assertion failure, causing any process using the library to crash. The issue is associated with CWE-20 (Improper Input Validation) and CWE-617 (Reachable Assertion), and it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with network accessibility and no privileges required.
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted QUIC packets to a target system running an affected version of Quicly. Successful exploitation leads to an assertion failure that terminates the process, resulting in a denial of service. The low attack complexity and lack of user interaction make it feasible for attackers to repeatedly trigger crashes, potentially disrupting services relying on QUIC for transport.
Mitigation is available via the fixing commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e, which addresses the assertion failure. Security practitioners should update Quicly to this commit or later. Additional details are provided in the GitHub security advisory GHSA-wr3c-345m-43v9.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206302
Vulnerability details
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote crafted QUIC packets trigger assertion failure (CWE-617) and crash via improper input validation, directly enabling application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation through updating Quicly to the fixing commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e.
Protects against the network-accessible DoS attack by implementing controls to limit or block effects of specially crafted QUIC packets causing process crashes.
Prevents availability compromise from reachable assertion failures (CWE-617) by requiring error handling that maintains system operation without crashing.