Homepage

Reachable Assertion Affecting teleport-17 package, versions <17.7.7-r1

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.06% (20th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-TELEPORT17-13534860
  • published12 Oct 2025
  • disclosed10 Oct 2025
Report a new vulnerability Found a mistake?

Introduced: 10 Oct 2025

NewCVE-2025-59530  (opens in a new tab)
CWE-617  (opens in a new tab)
CWE-755  (opens in a new tab)

How to fix?

Upgrade Minimos:latest teleport-17 to version 17.7.7-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream teleport-17 package and not the teleport-17 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

quic-go is an implementation of the QUIC protocol in Go. In versions prior to 0.49.0, 0.54.1, and 0.55.0, a misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. This was observed in the wild with certain server implementations. quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. Versions 0.49.0, 0.54.1, and 0.55.0 discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames.