Full Report
We identified and patched two DDoS vulnerabilities in our QUIC implementation related to packet acknowledgements. Cloudflare customers were not affected. We examine the "Optimistic ACK" attack vector and our solution, which dynamically skips packet numbers to validate client behavior.
Analysis Summary
# Vulnerability: DDoS Flaws in QUIC Acknowledgement Handling (Optimistic ACK and Unvalidated Ranges)
## CVE Details
- CVE ID: CVE-2025-4820, CVE-2025-4821
- CVSS Score: Not explicitly provided, but described as DDoS vulnerabilities. (Severity based on context: High due to impact on availability/resource exhaustion)
- CWE: Lacking input/signal validation (related to **CVE-2025-4821**), Predictable State Generation/Logic Flaw (related to **CVE-2025-4820**).
## Affected Systems
- Products: Cloudflare's `quiche` library (open-source QUIC implementation).
- Versions: `quiche` versions prior to **0.24.4**.
- Configurations: Any service utilizing the vulnerable versions of the `quiche` library for QUIC/HTTP/3 processing.
## Vulnerability Description
Two denial-of-service (DDoS) related vulnerabilities were found in the handling of QUIC packet acknowledgements (ACKs) within the `quiche` library:
1. **CVE-2025-4820 (Optimistic ACK Attack):** An attacker could predict and preemptively send ACK packets for data the sender had not yet transmitted. This allowed the attacker to trick the QUIC congestion control algorithm (like Cubic) into artificially expanding its congestion window (CWND), causing the endpoint to increase its send rate beyond fair network usage limits.
2. **CVE-2025-4821 (Unvalidated ACK Range):** The implementation lacked validation for ACK ranges, allowing a peer to send ACK ranges corresponding to packets that the endpoint had never actually sent.
In both cases, exploiting these flaws can lead to inflated server CPU utilization and an amplification of network traffic, manifesting as a DDoS attack vector by subverting congestion control signals to gain unfair network advantage.
## Exploitation
- Status: **Not exploited in the wild**. Vulnerabilities were disclosed via a bug bounty report.
- Complexity: **Medium** (CVE-2025-4820 explicitly mentions a "sophisticated attacker").
- Attack Vector: **Network**.
## Impact
- Confidentiality: **None** (The issue is focused on resource exhaustion/DDoS).
- Integrity: **Low** (Potential for protocol state disruption, but primary target is resource availability).
- Availability: **High** (Designed as a DDoS vector leading to CPU exhaustion and traffic amplification).
## Remediation
### Patches
- **CVE-2025-4820 & CVE-2025-4821:** Upgrade `quiche` to version **0.24.4** or later.
- Cloudflare completed infrastructure patching on 2025-05-16.
### Workarounds
The implemented mitigation (for CVE-2025-4820) involves a **dynamic CWND-aware skip frequency** logic within the ACK handling path. Specifically, the solution dynamically skips packet numbers to validate client behavior against the expected send rate, preventing the speculative opening of the congestion window. Organizations using affected versions should implement similar bounds checking on received acknowledgement ranges against sent packet numbers to prevent both vectors.
## Detection
- Indicators of compromise: Unusually high rates of ACK packets relative to expected data transmission, paired with rapid, unwarranted growth in the sender's congestion window (CWND), or high server CPU usage related to connection state management.
- Detection methods and tools: Monitoring QUIC connection flow statistics for anomalous ACK patterns, or using protocol analysis tools to inspect ACK frames against the expected sequence numbers sent by the server.
## References
- Vendor Advisories: Cloudflare Blog Post on Defending QUIC from acknowledgement-based DDoS attacks (2025-10-29).
- Relevant links - defanged:
- [cve.org/CVERecord?id=CVE-2025-4820](https://www.cve.org/CVERecord?id=CVE-2025-4820)
- [cve.org/CVERecord?id=CVE-2025-4821](https://www.cve.org/CVERecord?id=CVE-2025-4821)
- [github.com/cloudflare/quiche](https://github.com/cloudflare/quiche)
- Published research paper confirming Optimistic ACK vulnerability across multiple implementations.