happyDomain/happyDeliver

Fork 0

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] #56

Open

renovate-bot wants to merge 1 commit from renovate/go-github.com-quic-go-quic-go-vulnerability into master

renovate-bot commented

2025-12-29 03:49:42 +00:00

Collaborator

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/quic-go/quic-go	`v0.56.0` → `v0.57.0`

quic-go HTTP/3 QPACK Header Expansion DoS

CVE-2025-64702 / GHSA-g754-hx8w-x2g6 / GO-2025-4233

More information

Details

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go

CVE-2025-64702 / GHSA-g754-hx8w-x2g6 / GO-2025-4233

More information

Details

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

`v0.57.0`

Compare Source

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

Breaking Changes

http3: Transport.MaxResponseBytes is now an int (before: int64): #5433

Notable Fixes

qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

build(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #5426
qlogwriter: fix storing of event schemas by @marten-seemann in #5430
http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @marten-seemann in #5431
http3: read response after encountering error sending the request by @marten-seemann in #5432
http3: make Transport.MaxResponseBytes an int by @marten-seemann in #5433
http3: add a benchmark for header parsing by @marten-seemann in #5435
update qpack to v0.6.0 by @marten-seemann in #5434
http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @marten-seemann in #5439
add documentation for Conn.NextConnection by @marten-seemann in #5442
ackhandler: don’t generate an immediate ACK for the first packet by @marten-seemann in #5447
don’t arm connection timer for connection ID retirement by @marten-seemann in #5449
README: add nodepass to list of projects by @yosebyte in #5448
qlogwriter: use synctest to make tests deterministic by @marten-seemann in #5454
http3: limit size of decompressed headers by @marten-seemann in #5452

New Contributors

@yosebyte made their first contribution in #5448

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) | `v0.56.0` → `v0.57.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fquic-go%2fquic-go/v0.57.0?slim=true) | ![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fquic-go%2fquic-go/v0.57.0?slim=true) | ![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fquic-go%2fquic-go/v0.56.0/v0.57.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fquic-go%2fquic-go/v0.56.0/v0.57.0?slim=true) | --- ### quic-go HTTP/3 QPACK Header Expansion DoS [CVE-2025-64702](https://nvd.nist.gov/vuln/detail/CVE-2025-64702) / [GHSA-g754-hx8w-x2g6](https://github.com/advisories/GHSA-g754-hx8w-x2g6) / [GO-2025-4233](https://pkg.go.dev/vuln/GO-2025-4233) <details> <summary>More information</summary> #### Details ##### Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an `http.Header` (used on the `http.Request` and `http.Response`, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. ##### Impact A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction. ##### Details In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response). `http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes`, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values. RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do. ##### The Fix quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side). #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6](https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64702](https://nvd.nist.gov/vuln/detail/CVE-2025-64702) - [https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8](https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8) - [https://github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-g754-hx8w-x2g6) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go [CVE-2025-64702](https://nvd.nist.gov/vuln/detail/CVE-2025-64702) / [GHSA-g754-hx8w-x2g6](https://github.com/advisories/GHSA-g754-hx8w-x2g6) / [GO-2025-4233](https://pkg.go.dev/vuln/GO-2025-4233) <details> <summary>More information</summary> #### Details HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go #### Severity Unknown #### References - [https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6](https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6) - [https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8](https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4233) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Release Notes <details> <summary>quic-go/quic-go (github.com/quic-go/quic-go)</summary> ### [`v0.57.0`](https://github.com/quic-go/quic-go/releases/tag/v0.57.0) [Compare Source](https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0) This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic: - Both client and server now send their respective header size constraints using the SETTINGS\_MAX\_FIELD\_SECTION\_SIZE setting: [#5431](https://github.com/quic-go/quic-go/issues/5431) - For any QPACK-related errors, the correct error code (QPACK\_DECOMPRESSION\_FAILED) is now used: [#5439](https://github.com/quic-go/quic-go/issues/5439) - QPACK header parsing is now incremental (instead of parsing all headers at once), which is \~5-10% faster and reduces allocations: [#5435](https://github.com/quic-go/quic-go/issues/5435) (and [quic-go/qpack#67](https://github.com/quic-go/qpack/pull/67)) - The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: [#5452](https://github.com/quic-go/quic-go/issues/5452) #### Breaking Changes - http3: `Transport.MaxResponseBytes` is now an `int` (before: `int64`): [#5433](https://github.com/quic-go/quic-go/issues/5433) #### Notable Fixes - qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): [#5430](https://github.com/quic-go/quic-go/issues/5430) - http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): [#5432](https://github.com/quic-go/quic-go/issues/5432) #### What's Changed - build(deps): bump golangci/golangci-lint-action from 8 to 9 by [@dependabot](https://github.com/dependabot)\[bot] in [#5426](https://github.com/quic-go/quic-go/pull/5426) - qlogwriter: fix storing of event schemas by [@marten-seemann](https://github.com/marten-seemann) in [#5430](https://github.com/quic-go/quic-go/pull/5430) - http3: send SETTINGS\_MAX\_FIELD\_SECTION\_SIZE in the SETTINGS frame by [@marten-seemann](https://github.com/marten-seemann) in [#5431](https://github.com/quic-go/quic-go/pull/5431) - http3: read response after encountering error sending the request by [@marten-seemann](https://github.com/marten-seemann) in [#5432](https://github.com/quic-go/quic-go/pull/5432) - http3: make Transport.MaxResponseBytes an int by [@marten-seemann](https://github.com/marten-seemann) in [#5433](https://github.com/quic-go/quic-go/pull/5433) - http3: add a benchmark for header parsing by [@marten-seemann](https://github.com/marten-seemann) in [#5435](https://github.com/quic-go/quic-go/pull/5435) - update qpack to v0.6.0 by [@marten-seemann](https://github.com/marten-seemann) in [#5434](https://github.com/quic-go/quic-go/pull/5434) - http3: use QPACK\_DECOMPRESSION\_FAILED for QPACK errors by [@marten-seemann](https://github.com/marten-seemann) in [#5439](https://github.com/quic-go/quic-go/pull/5439) - add documentation for Conn.NextConnection by [@marten-seemann](https://github.com/marten-seemann) in [#5442](https://github.com/quic-go/quic-go/pull/5442) - ackhandler: don’t generate an immediate ACK for the first packet by [@marten-seemann](https://github.com/marten-seemann) in [#5447](https://github.com/quic-go/quic-go/pull/5447) - don’t arm connection timer for connection ID retirement by [@marten-seemann](https://github.com/marten-seemann) in [#5449](https://github.com/quic-go/quic-go/pull/5449) - README: add nodepass to list of projects by [@yosebyte](https://github.com/yosebyte) in [#5448](https://github.com/quic-go/quic-go/pull/5448) - qlogwriter: use synctest to make tests deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5454](https://github.com/quic-go/quic-go/pull/5454) - http3: limit size of decompressed headers by [@marten-seemann](https://github.com/marten-seemann) in [#5452](https://github.com/quic-go/quic-go/pull/5452) #### New Contributors - [@yosebyte](https://github.com/yosebyte) made their first contribution in [#5448](https://github.com/quic-go/quic-go/pull/5448) **Full Changelog**: <https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit

2025-12-29 03:49:43 +00:00

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] a151c78839

renovate-bot commented

2025-12-29 03:49:43 +00:00

Author

Collaborator

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

1 additional dependency was updated

Details:

Package	Change
`github.com/quic-go/qpack`	`v0.5.1` -> `v0.6.0`

### ℹ️ Artifact update notice ##### File name: go.mod In order to perform the update(s) described in the table above, Renovate ran the `go get` command, which resulted in the following additional change(s): - 1 additional dependency was updated Details: | **Package** | **Change** | | :------------------------- | :------------------- | | `github.com/quic-go/qpack` | `v0.5.1` -> `v0.6.0` |

renovate-bot force-pushed renovate/go-github.com-quic-go-quic-go-vulnerability from a151c78839 to 581c23668a

2026-01-03 07:14:39 +00:00

Compare

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/go-github.com-quic-go-quic-go-vulnerability:renovate/go-github.com-quic-go-quic-go-vulnerability

git switch renovate/go-github.com-quic-go-quic-go-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff renovate/go-github.com-quic-go-quic-go-vulnerability

git switch renovate/go-github.com-quic-go-quic-go-vulnerability

git rebase master

git switch master

git merge --ff-only renovate/go-github.com-quic-go-quic-go-vulnerability

git switch renovate/go-github.com-quic-go-quic-go-vulnerability

git rebase master

git switch master

git merge --no-ff renovate/go-github.com-quic-go-quic-go-vulnerability

git switch master

git merge --squash renovate/go-github.com-quic-go-quic-go-vulnerability

git switch master

git merge --ff-only renovate/go-github.com-quic-go-quic-go-vulnerability

git switch master

git merge renovate/go-github.com-quic-go-quic-go-vulnerability

git push origin master

No reviewers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

happyDomain/happyDeliver!56

No description provided.

Rows
Columns