[GH-ISSUE #5028] Update quic-go for CVE-2025-59530 fix

gitea-mirror commented

2026-05-05 14:31:10 -06:00

Owner

Originally created by @rtkjweeks on GitHub (Oct 24, 2025).
Original GitHub issue: https://github.com/fatedier/frp/issues/5028

Bug Description

quic-go v0.53.0 (currently in use) is vulnerable to CVE-2025-59530.
A fix exists in 0.54.1.
I would like to update to this version.

Affected versions of this package are vulnerable to Reachable Assertion in the handshake phase. An attacker can cause the client to crash by sending a premature HANDSHAKE_DONE frame from a misbehaving or malicious server, which can cause a denial-of-service.

frpc Version

0.65.0

frps Version

0.65.0

System Architecture

linux/arm64, linux/amd64 (likely all)

Configurations

Found via static code analysis

Logs

No response

Steps to reproduce

Found via CVE code analysis tool

Affected area

Docs
Installation
Performance and Scalability
Security
User Experience
Test and Release
Developer Infrastructure
Client Plugin
Server Plugin
Extensions
Others

Originally created by @rtkjweeks on GitHub (Oct 24, 2025). Original GitHub issue: https://github.com/fatedier/frp/issues/5028 ### Bug Description quic-go v0.53.0 (currently in use) is vulnerable to CVE-2025-59530. A fix exists in 0.54.1. I would like to update to this version. Affected versions of this package are vulnerable to Reachable Assertion in the handshake phase. An attacker can cause the client to crash by sending a premature HANDSHAKE_DONE frame from a misbehaving or malicious server, which can cause a denial-of-service. ### frpc Version 0.65.0 ### frps Version 0.65.0 ### System Architecture linux/arm64, linux/amd64 (likely all) ### Configurations Found via static code analysis ### Logs _No response_ ### Steps to reproduce 1. Found via CVE code analysis tool ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [x] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror closed this issue

2026-05-05 14:31:11 -06:00

gitea-mirror commented

2026-05-05 14:31:13 -06:00

Author

Owner

@rtkjweeks commented on GitHub (Oct 24, 2025):

I have a commit/branch for this, but am unable to push:

$ git push --set-upstream origin update-quic-version
ERROR: Permission to fatedier/frp.git denied to rtkjweeks.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

@rtkjweeks commented on GitHub (Oct 24, 2025): I have a commit/branch for this, but am unable to push: ``` $ git push --set-upstream origin update-quic-version ERROR: Permission to fatedier/frp.git denied to rtkjweeks. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ```