CVE-2025-59530: 
Syncthing vulnerability analysis and mitigation

CVE-2025-59530 affects quic-go, an implementation of the QUIC protocol in Go. The vulnerability was discovered on October 10, 2025, affecting versions prior to 0.49.0, 0.54.1, and 0.55.0. A misbehaving or malicious server can trigger an assertion failure in a quic-go client during the handshake phase, leading to a process crash (GitHub Advisory, NVD).

The vulnerability exists in the QUIC handshake process, which normally uses three sets of keys: Initial keys, Handshake keys, and 1-RTT keys. The issue occurs when a server prematurely sends a HANDSHAKE_DONE frame before completing the handshake, causing Handshake keys to be dropped before Initial keys. This triggers an assertion that no packets should be queued after handshake completion. The vulnerability has a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability enables a denial-of-service (DoS) attack on quic-go clients by causing process crashes. This requires no authentication and can be exploited during the handshake phase. The issue has been observed in the wild with certain server implementations, including Solana's Firedancer QUIC (GitHub Advisory).

The vulnerability has been fixed in versions 0.49.1, 0.54.1, and 0.55.0. The fix involves discarding Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later (GitHub Advisory).