quiche: add information about CVE-2025-7054

crates/quiche/RUSTSEC-0000-0000.md

@@ -0,0 +1,49 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "quiche"
+date = "2025-08-07"
+url = "https://github.com/cloudflare/quiche/security/advisories/GHSA-m3hh-f9gh-74c2"
+cvss = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+keywords = ["infinite loop"]
+aliases = ["CVE-2025-7054","GHSA-m3hh-f9gh-74c2"]
+license = "CC-BY-4.0"
+
+[versions]
+patched = [">= 0.24.5"]
+unaffected = ["< 0.15.0"]
+```
+
+# Infinite loop triggered by connection ID retirement
+
+Cloudflare quiche was discovered to be vulnerable to an
+infinite loop when sending packets containing
+RETIRE_CONNECTION_ID frames.
+
+QUIC connections possess a set of connection identifiers
+(IDs); see Section 5.1 of RFC 9000. Once the QUIC
+handshake completes, a local endpoint is responsible
+for issuing and retiring Connection IDs that are used by
+the remote peer to populate the Destination Connection
+ID field in packets sent from remote to local. Each
+Connection ID has a sequence number to ensure
+synchronization between peers
+
+An unauthenticated remote attacker can exploit this
+vulnerability by first completing a handshake and then
+sending a specially-crafted set of frames that trigger
+a connection ID retirement in the victim. When the
+victim attempts to send a packet containing
+RETIRE_CONNECTION_ID frames, Section 19.16 of RFC 9000
+requires that the sequence number of the retired
+connection ID must not be the same as the sequence
+number of the connection ID used by the packet. In
+other words, a packet cannot contain a frame that
+retires itself. In scenarios such as path migration,
+it is possible for there to be multiple active paths
+with different active connection IDs that could be
+used to retire each other. The exploit triggered an
+unintentional behaviour of a quiche design feature
+that supports retirement across paths while
+maintaining full connection ID synchronization,
+leading to an infinite loop.