VulnerableCode Package Details - pkg:cargo/quiche@0.19.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:cargo/quiche@0.19.1

Essentials
History (1)

purl	pkg:cargo/quiche@0.19.1

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-arws-exmk-fkdp	Unbounded queuing of path validation messages in cloudflare-quiche ### Impact quiche v. 0.15.0 through 0.19.0 was discovered to be vulnerable to unbounded queuing of path validation messages, which could lead to excessive resource consumption. QUIC path validation ([RFC 9000 Section 8.2](https://datatracker.ietf.org/doc/html/rfc9000#section-8.2)) requires that the recipient of a PATH_CHALLENGE frame responds by sending a PATH_RESPONSE. An unauthenticated remote attacker can exploit the vulnerability by sending PATH_CHALLENGE frames and manipulating the connection (e.g. by restricting the peer's congestion window size) so that PATH_RESPONSE frames can only be sent at the slower rate than they are received, leading to storage of path validation data in an unbounded queue. ### Patches Quiche versions greater than 0.19.0 address this problem. ### References [CVE-2023-6193](https://www.cve.org/CVERecord?id=CVE-2023-6193) [RFC 9000 Section 8.2](https://datatracker.ietf.org/doc/html/rfc9000#section-8.2)	CVE-2023-6193 GHSA-w3vp-jw9m-f9pm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:00:51.693449+00:00	GHSA Importer	Fixing	VCID-arws-exmk-fkdp	https://github.com/advisories/GHSA-w3vp-jw9m-f9pm	38.1.0