CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

CVE-2025-64702

CVE-2025-64702 affects quic-go (Go QUIC implementation) and is documented across multiple feeds. The issue occurs in versions 0.56.0 and earlier where the HTTP/3 client and server decode QPACK HEADERS frames into http.Header without enforcing a decoded-header size limit, leading to memory exhaust...

CVE-2025-64702

quic-go is an implementation of the QUIC protocol in Go. Versions 0.56.0 and below are vulnerable to excessive memory allocation through quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section many unique header...

quic-go 安全漏洞

quic-go is an implementation of the QUIC protocol, RFC 9000 protocol, in Go by the individual developer Lucas Clemente. A security vulnerability exists in quic-go 0.56.0 and earlier versions, which stems from a failure to enforce restrictions on decoded headers and could lead to memory exhaustion...

CVE-2025-48948

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

CVE-2025-48949

Navidrome (open source music server) contains an SQL injection vulnerability in the API endpoint /api/artist, caused by improper input validation of the role parameter. Affected versions are 0.55.0 through 0.55.2; version 0.56.0 patches the issue. The flaw could allow an attacker to inject arbitr...

CVE-2025-48948 Navidrome Transcoding Permission Bypass Vulnerability Report

Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating,...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection through the role parameter within the API endpoint /api/artist. An attacker can execute arbitrary SQL commands and potentially access or alter sensitive data by injecting malicious SQL queries into the input field...