Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:rpm/redhat/receptor@1.5.1-2?arch=el9ap
Typerpm
Namespaceredhat
Namereceptor
Version1.5.1-2
Qualifiers
arch el9ap
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-u6kw-zxc9-q7gg
vulnerability_id VCID-u6kw-zxc9-q7gg
summary 
quic-go affected by an ICMP Packet Too Large Injection Attack on Linux
### Impact
An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used `IP_PMTUDISC_DO`, the kernel would then return a "message too large" error on `sendmsg`, i.e. when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet.

By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. Crucially, this can be done after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer (for example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection).

As far as I understand, the kernel tracks the MTU per 4-tuple, so the attacker needs to at least know the client's IP and port tuple to mount an attack (assuming that it knows the server's IP and port).

### Patches

The fix is easy: Use `IP_PMTUDISC_PROBE` instead of `IP_PMTUDISC_DO`. This socket option only sets the DF bit, but disables the kernel's MTU tracking.

_Has the problem been patched? What versions should users upgrade to?_

Fixed in https://github.com/quic-go/quic-go/pull/4729
Released in https://github.com/quic-go/quic-go/releases/tag/v0.48.2

### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_

Use iptables to drop ICMP Unreachable packets.

### References

_Are there any links users can visit to find out more?_

This bug was discovered while doing research for my new IETF draft on IP fragmentation: https://datatracker.ietf.org/doc/draft-seemann-tsvwg-udp-fragmentation/
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53259.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53259.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53259
reference_id
reference_type
scores
0
value 0.00755
scoring_system epss
scoring_elements 0.73336
published_at 2026-04-29T12:55:00Z
1
value 0.00755
scoring_system epss
scoring_elements 0.73205
published_at 2026-04-02T12:55:00Z
2
value 0.00755
scoring_system epss
scoring_elements 0.73226
published_at 2026-04-04T12:55:00Z
3
value 0.00755
scoring_system epss
scoring_elements 0.73199
published_at 2026-04-07T12:55:00Z
4
value 0.00755
scoring_system epss
scoring_elements 0.73236
published_at 2026-04-08T12:55:00Z
5
value 0.00755
scoring_system epss
scoring_elements 0.73249
published_at 2026-04-09T12:55:00Z
6
value 0.00755
scoring_system epss
scoring_elements 0.73274
published_at 2026-04-11T12:55:00Z
7
value 0.00755
scoring_system epss
scoring_elements 0.73254
published_at 2026-04-12T12:55:00Z
8
value 0.00755
scoring_system epss
scoring_elements 0.73247
published_at 2026-04-13T12:55:00Z
9
value 0.00755
scoring_system epss
scoring_elements 0.73289
published_at 2026-04-16T12:55:00Z
10
value 0.00755
scoring_system epss
scoring_elements 0.73298
published_at 2026-04-18T12:55:00Z
11
value 0.00755
scoring_system epss
scoring_elements 0.7329
published_at 2026-04-21T12:55:00Z
12
value 0.00755
scoring_system epss
scoring_elements 0.73324
published_at 2026-04-24T12:55:00Z
13
value 0.00755
scoring_system epss
scoring_elements 0.73338
published_at 2026-04-26T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53259
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53259
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53259
3
reference_url https://github.com/quic-go/quic-go
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/quic-go/quic-go
4
reference_url https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:27:58Z/
url https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
5
reference_url https://github.com/quic-go/quic-go/pull/4729
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:27:58Z/
url https://github.com/quic-go/quic-go/pull/4729
6
reference_url https://github.com/quic-go/quic-go/releases/tag/v0.48.2
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:27:58Z/
url https://github.com/quic-go/quic-go/releases/tag/v0.48.2
7
reference_url https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-02T19:27:58Z/
url https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53259
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53259
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089227
reference_id 1089227
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1089227
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2329991
reference_id 2329991
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2329991
11
reference_url https://access.redhat.com/errata/RHSA-2024:10766
reference_id RHSA-2024:10766
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10766
12
reference_url https://access.redhat.com/errata/RHSA-2025:0385
reference_id RHSA-2025:0385
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0385
13
reference_url https://access.redhat.com/errata/RHSA-2025:0386
reference_id RHSA-2025:0386
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0386
14
reference_url https://access.redhat.com/errata/RHSA-2025:4250
reference_id RHSA-2025:4250
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4250
15
reference_url https://access.redhat.com/errata/RHSA-2025:4810
reference_id RHSA-2025:4810
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4810
fixed_packages
aliases CVE-2024-53259, GHSA-px8v-pp82-rcvr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u6kw-zxc9-q7gg
Fixing_vulnerabilities
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:rpm/redhat/receptor@1.5.1-2%3Farch=el9ap