Cyber Resilience

CVE-2025-61684

High

Published: 19 January 2026

Published
19 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0027 50.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61684 is a high-severity Improper Input Validation (CWE-20) vulnerability in H2O Quicly. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

CVE-2025-61684 is a denial-of-service vulnerability in Quicly, an open-source implementation of the IETF QUIC protocol. Versions of Quicly prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e contain flaws that allow a remote attacker to trigger an assertion failure, causing any process using the library to crash. The issue is associated with CWE-20 (Improper Input Validation) and CWE-617 (Reachable Assertion), and it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with network accessibility and no privileges required.

A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted QUIC packets to a target system running an affected version of Quicly. Successful exploitation leads to an assertion failure that terminates the process, resulting in a denial of service. The low attack complexity and lack of user interaction make it feasible for attackers to repeatedly trigger crashes, potentially disrupting services relying on QUIC for transport.

Mitigation is available via the fixing commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e, which addresses the assertion failure. Security practitioners should update Quicly to this commit or later. Additional details are provided in the GitHub security advisory GHSA-wr3c-345m-43v9.

EU & UK References

Vulnerability details

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote crafted QUIC packets trigger assertion failure (CWE-617) and crash via improper input validation, directly enabling application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-7765Same vendor: H2O
CVE-2024-8062Same vendor: H2O
CVE-2026-8751Same vendor: H2O
CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2025-70123Shared CWE-20
CVE-2026-31739Shared CWE-617
CVE-2024-24430Shared CWE-617
CVE-2025-61616Shared CWE-20
CVE-2024-34235Shared CWE-617

Affected Assets

h2o
quicly
≤ 2026-01-18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through updating Quicly to the fixing commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e.

prevent

Protects against the network-accessible DoS attack by implementing controls to limit or block effects of specially crafted QUIC packets causing process crashes.

prevent

Prevents availability compromise from reachable assertion failures (CWE-617) by requiring error handling that maintains system operation without crashing.

References