CVE-2025-61684
Published: 19 January 2026
Summary
CVE-2025-61684 is a high-severity Improper Input Validation (CWE-20) vulnerability in H2O Quicly. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote crafted QUIC packets trigger assertion failure (CWE-617) and crash via improper input validation, directly enabling application/system exploitation for endpoint DoS.
NVD Description
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue.
Deeper analysisAI
CVE-2025-61684 is a denial-of-service vulnerability in Quicly, an open-source implementation of the IETF QUIC protocol. Versions of Quicly prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e contain flaws that allow a remote attacker to trigger an assertion failure, causing any process using the library to crash. The issue is associated with CWE-20 (Improper Input Validation) and CWE-617 (Reachable Assertion), and it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with network accessibility and no privileges required.
A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted QUIC packets to a target system running an affected version of Quicly. Successful exploitation leads to an assertion failure that terminates the process, resulting in a denial of service. The low attack complexity and lack of user interaction make it feasible for attackers to repeatedly trigger crashes, potentially disrupting services relying on QUIC for transport.
Mitigation is available via the fixing commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e, which addresses the assertion failure. Security practitioners should update Quicly to this commit or later. Additional details are provided in the GitHub security advisory GHSA-wr3c-345m-43v9.
Details
- CWE(s)