Search for packages
| purl | pkg:deb/debian/golang-github-lucas-clemente-quic-go@0.19.3-1 |
| Next non-vulnerable version | 0.46.0-2~bpo12+1 |
| Latest non-vulnerable version | 0.55.0-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18gf-znwv-aubu
Aliases: CVE-2024-22189 GHSA-c33x-xqrf-c478 |
QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/. I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683 There's no way to mitigate this attack, please update quic-go to a version that contains the fix. |
Affected by 0 other vulnerabilities. |
|
VCID-3vjt-1se3-rbhc
Aliases: CVE-2023-49295 GHSA-ppxx-5m9h-6vxf |
quic-go's path validation mechanism can be exploited to cause denial of service An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/ There's no way to mitigate this attack, please update quic-go to a version that contains the fix. |
Affected by 0 other vulnerabilities. |
|
VCID-apqf-t7ew-5fgw
Aliases: CVE-2025-64702 GHSA-g754-hx8w-x2g6 |
quic-go HTTP/3 QPACK Header Expansion DoS ## Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an `http.Header` (used on the `http.Request` and `http.Response`, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. ## Impact A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction. ## Details In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response). `http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes`, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values. RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do. ## The Fix quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side). |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qatc-a78d-8ufh
Aliases: CVE-2025-59530 GHSA-47m2-4cr7-mhcw |
quic-go: Panic occurs when queuing undecryptable packets after handshake completion ## Summary A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake. ## Impact A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. Observed in the wild with certain server implementations (e.g. Solana's Firedancer QUIC). ## Affected Versions - All versions prior to v0.49.1 (for the 0.49 branch) - Versions v0.50.0 to v0.54.0 (inclusive) - Fixed in v0.49.1, v0.54.1, and v0.55.0 onward Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later. ## Details For a regular 1-RTT handshake, QUIC uses three sets of keys to encrypt / decrypt QUIC packets: - Initial keys (derived from a static key and the connection ID) - Handshake keys (derived from the client's and server's key shares in the TLS handshake) - 1-RTT keys (derived when the TLS handshake finishes) On the client side, Initial keys are discarded when the first Handshake packet is sent. Handshake keys are discarded when the server's HANDSHAKE_DONE frame is received, as specified in section 4.9.2 of RFC 9001. Crucially, Initial keys are always dropped before Handshake keys in a standard handshake. Due to packet reordering, it is possible to receive a packet with a higher encryption level before the key for that encryption level has been derived. For example, the server's Handshake packets (containing, among others, the TLS certificate) might arrive before the server's Initial packet (which contains the TLS ServerHello). In that case, the client queues the Handshake packets and decrypts them as soon as it has processed the ServerHello and derived Handshake keys. After completion of the handshake, Initial and Handshake packets are not needed anymore and will be dropped. quic-go implements an [assertion](https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685) that no packets are queued after completion of the handshake. A misbehaving or malicious server can trigger this assertion, and thereby cause a panic, by sending a HANDSHAKE_DONE frame before actually completing the handshake. In that case, Handshake keys would be dropped before Initial keys. This can only happen if the server implementation is misbehaving: the server can only complete the handshake after receiving the client's TLS Finished message (which is sent in Handshake packets). ## The Fix quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. We now discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. The fix was implemented in https://github.com/quic-go/quic-go/pull/5354. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tw5q-cn78-vyda
Aliases: CVE-2025-29785 GHSA-j972-j939-p2v3 |
quic-go Has Panic in Path Probe Loss Recovery Handling ### Impact The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses (thereby triggering the newly added path validation logic: the server sends path probe packets), and then sending ACKs for packets received from the server specifically crafted to trigger the nil-pointer dereference. ### Patches v0.50.1 contains a patch that fixes the vulnerability. This release contains a test that generates random sequences of sent packets (both regular and path probe packets), that was used to verify that the patch actually covers all corner cases. ### Workarounds No. ### References This issue has been reported publicly, but without any context, in https://github.com/quic-go/quic-go/issues/4981. |
Affected by 0 other vulnerabilities. |
|
VCID-u6kw-zxc9-q7gg
Aliases: CVE-2024-53259 GHSA-px8v-pp82-rcvr |
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux ### Impact An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used `IP_PMTUDISC_DO`, the kernel would then return a "message too large" error on `sendmsg`, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection). As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port). ### Patches The fix is easy: Use `IP_PMTUDISC_PROBE` instead of `IP_PMTUDISC_DO`. This socket option only sets the DF bit, but disables the kernel's MTU tracking. _Has the problem been patched? What versions should users upgrade to?_ Fixed in https://github.com/quic-go/quic-go/pull/4729 Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Use iptables to drop ICMP Unreachable packets. ### References _Are there any links users can visit to find out more?_ This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/ |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T13:19:28.109265+00:00 | Debian Importer | Affected by | VCID-tw5q-cn78-vyda | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T12:45:48.378009+00:00 | Debian Importer | Affected by | VCID-18gf-znwv-aubu | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T12:30:54.201456+00:00 | Debian Importer | Affected by | VCID-qatc-a78d-8ufh | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T12:27:11.164175+00:00 | Debian Importer | Affected by | VCID-3vjt-1se3-rbhc | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T11:33:08.547690+00:00 | Debian Importer | Affected by | VCID-u6kw-zxc9-q7gg | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-16T09:09:41.475731+00:00 | Debian Importer | Affected by | VCID-apqf-t7ew-5fgw | https://security-tracker.debian.org/tracker/data/json | 38.4.0 |
| 2026-04-13T09:10:53.817609+00:00 | Debian Importer | Affected by | VCID-tw5q-cn78-vyda | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:45:12.629461+00:00 | Debian Importer | Affected by | VCID-18gf-znwv-aubu | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:34:10.509371+00:00 | Debian Importer | Affected by | VCID-qatc-a78d-8ufh | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T08:31:28.041149+00:00 | Debian Importer | Affected by | VCID-3vjt-1se3-rbhc | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-13T07:52:30.294951+00:00 | Debian Importer | Affected by | VCID-u6kw-zxc9-q7gg | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-11T18:07:59.194993+00:00 | Debian Importer | Affected by | VCID-apqf-t7ew-5fgw | https://security-tracker.debian.org/tracker/data/json | 38.3.0 |
| 2026-04-08T20:06:08.053239+00:00 | Debian Importer | Affected by | VCID-tw5q-cn78-vyda | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T19:49:38.466712+00:00 | Debian Importer | Affected by | VCID-18gf-znwv-aubu | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T19:42:24.837168+00:00 | Debian Importer | Affected by | VCID-qatc-a78d-8ufh | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T19:40:40.835664+00:00 | Debian Importer | Affected by | VCID-3vjt-1se3-rbhc | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-08T19:14:25.783104+00:00 | Debian Importer | Affected by | VCID-u6kw-zxc9-q7gg | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |
| 2026-04-04T17:57:42.694380+00:00 | Debian Importer | Affected by | VCID-apqf-t7ew-5fgw | https://security-tracker.debian.org/tracker/data/json | 38.1.0 |