CVE-2025-61684 is a denial-of-service vulnerability in the Quicly library, a widely used implementation of the IETF QUIC protocol. If exploited, an attacker could remotely crash services or applications utilizing this library, leading to a complete loss of availability for network-dependent systems.

The vulnerability is a denial-of-service (DoS) flaw within the Quicly protocol stack. It stems from improper handling of specific QUIC frames or transport parameters during the connection handshake or stream processing. An attacker can exploit this by sending specially crafted, malformed QUIC packets to a vulnerable endpoint. Because the QUIC protocol operates over UDP, an attacker may be able to spoof source addresses or initiate a large number of sessions that trigger the vulnerable code path, leading to a process crash or resource exhaustion without requiring valid authentication.

This vulnerability is classified as High severity with a CVSS score of 7.5. The primary business impact is the potential for prolonged service downtime, which can lead to significant operational disruptions, loss of revenue, and breach of Service Level Agreements (SLAs). Since QUIC is the foundational protocol for HTTP/3, any web-facing infrastructure or internal microservices relying on Quicly for high-performance communication are at risk. Exploitation could result in a total loss of availability for critical customer-facing applications.

Immediate Action: Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs. Organizations should prioritize identifying third-party software, load balancers, or custom applications that integrate the Quicly library and ensure they are updated to a version containing commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e.

Proactive Monitoring: Security teams should monitor network traffic for anomalies in UDP port 443 (standard QUIC port) and look for patterns indicative of malformed packet floods. Implement logging for protocol-level errors and monitor system health for frequent service restarts or unexpected segmentation faults in networking components.

Compensating Controls: If immediate patching is not possible, organizations may consider temporarily disabling QUIC support on edge devices, forcing traffic to fail back to TLS over TCP (HTTP/2). Additionally, implementing aggressive rate-limiting on UDP traffic and utilizing Web Application Firewalls (WAFs) with QUIC-aware inspection capabilities can help mitigate the risk of exploitation.

Public Exploit Available: false

We recommend that the organization conduct an immediate inventory of all networking equipment and software stacks to identify dependencies on the Quicly library. Given the high CVSS score and the potential for widespread service disruption, patching should be treated as a high priority. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its position in a foundational networking protocol makes it an attractive target for attackers seeking to cause maximum disruption with minimal effort.