nemunaire/reveil

Fork 0

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] #306

Merged

nemunaire merged 1 commit from renovate/go-github.com-quic-go-quic-go-vulnerability into master

2026-02-16 16:06:03 +00:00

renovate-bot commented

2025-11-05 21:44:53 +00:00

Collaborator

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/quic-go/quic-go	`v0.54.0` → `v0.57.0`

Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go

CVE-2025-59530 / GHSA-47m2-4cr7-mhcw / GO-2025-4017

More information

Details

Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

quic-go: Panic occurs when queuing undecryptable packets after handshake completion

CVE-2025-59530 / GHSA-47m2-4cr7-mhcw / GO-2025-4017

More information

Details

Summary

A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake.

Impact

A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. Observed in the wild with certain server implementations (e.g. Solana's Firedancer QUIC).

Affected Versions

All versions prior to v0.49.1 (for the 0.49 branch)
Versions v0.50.0 to v0.54.0 (inclusive)
Fixed in v0.49.1, v0.54.1, and v0.55.0 onward

Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later.

Details

For a regular 1-RTT handshake, QUIC uses three sets of keys to encrypt / decrypt QUIC packets:

Initial keys (derived from a static key and the connection ID)
Handshake keys (derived from the client's and server's key shares in the TLS handshake)
1-RTT keys (derived when the TLS handshake finishes)

On the client side, Initial keys are discarded when the first Handshake packet is sent. Handshake keys are discarded when the server's HANDSHAKE_DONE frame is received, as specified in section 4.9.2 of RFC 9001. Crucially, Initial keys are always dropped before Handshake keys in a standard handshake.

Due to packet reordering, it is possible to receive a packet with a higher encryption level before the key for that encryption level has been derived. For example, the server's Handshake packets (containing, among others, the TLS certificate) might arrive before the server's Initial packet (which contains the TLS ServerHello). In that case, the client queues the Handshake packets and decrypts them as soon as it has processed the ServerHello and derived Handshake keys.

After completion of the handshake, Initial and Handshake packets are not needed anymore and will be dropped. quic-go implements an assertion that no packets are queued after completion of the handshake.

A misbehaving or malicious server can trigger this assertion, and thereby cause a panic, by sending a HANDSHAKE_DONE frame before actually completing the handshake. In that case, Handshake keys would be dropped before Initial keys.

This can only happen if the server implementation is misbehaving: the server can only complete the handshake after receiving the client's TLS Finished message (which is sent in Handshake packets).

The Fix

quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. We now discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. The fix was implemented in https://github.com/quic-go/quic-go/pull/5354.

Severity

CVSS Score: 7.5 / 10 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

quic-go HTTP/3 QPACK Header Expansion DoS

CVE-2025-64702 / GHSA-g754-hx8w-x2g6 / GO-2025-4233

More information

Details

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go

CVE-2025-64702 / GHSA-g754-hx8w-x2g6 / GO-2025-4233

More information

Details

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

`v0.57.0`

Compare Source

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and quic-go/qpack#67)
The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

Breaking Changes

http3: Transport.MaxResponseBytes is now an int (before: int64): #5433

Notable Fixes

qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

build(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in #5426
qlogwriter: fix storing of event schemas by @marten-seemann in #5430
http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @marten-seemann in #5431
http3: read response after encountering error sending the request by @marten-seemann in #5432
http3: make Transport.MaxResponseBytes an int by @marten-seemann in #5433
http3: add a benchmark for header parsing by @marten-seemann in #5435
update qpack to v0.6.0 by @marten-seemann in #5434
http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @marten-seemann in #5439
add documentation for Conn.NextConnection by @marten-seemann in #5442
ackhandler: don’t generate an immediate ACK for the first packet by @marten-seemann in #5447
don’t arm connection timer for connection ID retirement by @marten-seemann in #5449
README: add nodepass to list of projects by @yosebyte in #5448
qlogwriter: use synctest to make tests deterministic by @marten-seemann in #5454
http3: limit size of decompressed headers by @marten-seemann in #5452

New Contributors

@yosebyte made their first contribution in #5448

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0

`v0.56.0`

Compare Source

This release introduces qlog support for HTTP/3 (#5367, #5372, #5374, #5375, #5376, #5381, #5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#5356, #5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#5353, #5371)
quicvarint: improved panic message for numbers larger than 2^62 (#5410)

Behind the Scenes

Go 1.25 introduced support for testing concurrent code using testing/synctest. We've been working on transitioning tests to use synctest (#5357, #5391, #5393, #5397, #5398, #5403, #5414, #5415), using @MarcoPolo's simnet package to simulate a network in memory.

Using synctest makes test execution more reliable (reducing flakiness). The use of a synthetic clock leads to a massive speedup; the execution time of some integration tests was reduced from 20s to less than 1ms. The work will continue for the next release (see tracking issue: #5386).

Changelog

qlog: implement a minimal jsontext-like JSON encoder by @marten-seemann in #5353
ci: remove 386 (32 bit x86) by @MarcoPolo in #5352
use synctest in more connection tests by @marten-seemann in #5357
qlog: split serializiation and event definitions, remove logging abstraction by @marten-seemann in #5356
qlogwriter: implement the draft-12 trace header by @marten-seemann in #5360
qlogwriter: add support for event_schemas in the trace header by @marten-seemann in #5361
qlogwriter: pass the event time to Event.Encode by @marten-seemann in #5362
ackhandler: fix qlogging of alarm timer expiration time by @marten-seemann in #5363
qlog: privatize Encode functions of non-Event structs by @marten-seemann in #5364
fix qlogging of the short header payload length by @marten-seemann in #5365
ci: include OS and Go version in Codecov test report upload by @marten-seemann in #5370
http3: add basic server-side qlog support by @marten-seemann in #5367
jsontext: add support for encoding null by @marten-seemann in #5371
qlog: use PathEndpointInfo in connection_started by @marten-seemann in #5368
http3: fix qlog encoding of frame_parsed and frame_created events by @marten-seemann in #5372
http3: add basic client-side qlog support by @marten-seemann in #5374
readme: update oss-fuzz link by @kriztalz in #5377
http3: qlog sent and received GOAWAY frames by @marten-seemann in #5376
http3: qlog sent and received DATAGRAMs by @marten-seemann in #5375
http3: move qlogging of frames into the frame parser by @marten-seemann in #5378
http3: qlog sent and received SETTINGS frames by @marten-seemann in #5379
http3: qlog the frame length and payload length of parsed frames by @marten-seemann in #5380
http3: qlog reserved, unsupported and unknown frames by @marten-seemann in #5381
http3: add the qlog event schema to trace header by @marten-seemann in #5383
use default RTT (100ms) for 0-RTT if no prior estimate by @marten-seemann in #5388
congestion: avoid overflows when calculating pacer budget by @marten-seemann in #5390
add simnet package to simulate a net.PacketConn in memory by @marten-seemann in #5385
use synctest for transport tests by @marten-seemann in #5391
use simnet in CONNECTION_CLOSE retransmission test by @marten-seemann in #5395
use synctest for the packet drop test by @marten-seemann in #5393
use synctest for the handshake drop test by @marten-seemann in #5397
use synctest for the datagram test by @marten-seemann in #5398
use synctest for the timeout tests by @marten-seemann in #5403
fix flaky TestConnectionUnpackFailureDropped by @Copilot in #5382
fix flaky TestServerTransportClose by @Copilot in #5407
ci: use gcassert to check that quicvarint.Len is inlined by @marten-seemann in #5409
quicvarint: improve panic message for numbers larger 2^62 by @marten-seemann in #5410
ci: bump actions/upload-artifact from 4 to 5 by @dependabot[bot] in #5411
ci: update golangci-lint to v2.6.0 by @marten-seemann in #5412
qlog: rename owner to initiator by @marten-seemann in #5416
use synctest for the stateless reset tests by @marten-seemann in #5415
ackhandler: fix qlogging of RTT values by @marten-seemann in #5418
qlog: rework the ConnectionClosed event by @marten-seemann in #5417
qlog: split the PTO count updates ouf of the MetricsUpdated event by @marten-seemann in #5421

New Contributors

@kriztalz made their first contribution in #5377
@Copilot made their first contribution in #5382

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.55.0...v0.56.0

`v0.55.0`

Compare Source

This release contains a number of improvements and fixes, and it updates the supported Go versions to 1.24 and 1.25.

Optimizations

When sending packets on a QUIC connection, RFC 9002 requires us to save the timestamp for every packet sent. In #5344, we implemented a memory-optimized drop-in replacement for time.Time, which reduces the memory required from 24 to 8 bytes, and vastly speeds up timer calculations (which happen very frequently).

New Features

Basic connection statistics are now exposed via Conn.ConnectionStats, thanks to @MarcoPolo
On some links, packet reordering can lead to spurious detections of packet loss when using the loss detection logic specified in RFC 9002. #5355 adds logic detect when packet loss is detected spuriously.

Notable Fixes

http3: don't allow usage of closed Transport: #5324, thanks to @Glonee
http3: fix race in concurrent Transport.Roundtrip calls: #5323, thanks to @Glonee
improve and fix connection timer logic: #5339, thanks to @sukunrt for a very comprehensive code review

Behind the Scenes

We have started transitioning tests to make use of the new synctest package that was added in Go 1.25 (and was available as a GOEXPERIMENT in Go 1.24): #5291, #5296, #5298, #5299, #5302, #5304, #5305, #5306, #5317. This is a lot of work, but it makes the test execution both faster and more reliable.

Changelog

wire: implement parsing and writing of the ACK_FREQUENCY frame by @marten-seemann in #5264
wire: implement parsing and writing of the IMMEDIATE_ACK frame by @marten-seemann in #5265
fuzzing: fix timeout in frame parser by @jannis-seemann in #5268
wire: add support for the min_ack_delay transport parameter by @marten-seemann in #5266
fix missing log statement for STREAM, DATAGRAM and ACK by @jannis-seemann in #5273
qlog: add support for ACK_FREQUENCY and IMMEDIATE_ACK frames by @marten-seemann in #5276
ackhandler: remove unused time from receivedPacketHandler.ReceivedPacket by @marten-seemann in #5277
quicvarint: extend benchmark to use quicvarint.Reader by @marten-seemann in #5278
quicvarint: tolerate empty reads of the underlying io.Reader by @bemasc in #5275
http3: fix documentation for Server.ServeListener by @WeidiDeng in #5282
expose connection stats via Conn.ConnectionStats by @marten-seemann in #5281
ackhandler: generalize check for missing packets below threshold by @marten-seemann in #5260
update to Go 1.25, drop Go 1.23, use go tool for gomock by @marten-seemann in #5283
replace interface{} with any by @marten-seemann in #5290
use testing.B.Loop in all benchmark tests by @marten-seemann in #5285
build(deps): bump actions/checkout from 4 to 5 by @dependabot[bot] in #5293
use synctest to make receive stream tests fully deterministc by @marten-seemann in #5291
use synctest to make streams map tests fully deterministic by @marten-seemann in #5296
ci: cache the Go build cache for cross-compilation workflow by @marten-seemann in #5297
ci: fix cache save and restore logic for cross compile workflow by @marten-seemann in #5300
restore previously deleted TestStreamsMapConcurrent test by @marten-seemann in #5301
use synctest to make the send queue tests fully deterministic by @marten-seemann in #5302
use synctest to make the send stream tests fully deterministic by @marten-seemann in #5298
ci: use go mod tidy -diff to check for tidied go.mod by @marten-seemann in #5303
use synctest to make the datagram queue tests fully deterministic by @marten-seemann in #5305
utils: use synctest to make the timer tests fully deterministic by @marten-seemann in #5306
ackhandler: fix resetting of packet.isPathProbePacket by @marten-seemann in #5310
ackhandler: use an iterator to process received packet ranges by @marten-seemann in #5309
ackhandler: use a typed mock for the ECNHandler by @marten-seemann in #5311
ackhandler: immediately clear ackedPacket slice after processing ACK by @marten-seemann in #5313
ci: improve cache key generation for the cross compilation job by @marten-seemann in #5315
ci: fix cache paths in cross compile workflow by @marten-seemann in #5318
ackhandler: avoid storing packet number in packet struct by @marten-seemann in #5312
ackhandler: store skipped packet numbers separately by @marten-seemann in #5314
ackhandler: account for skipped packets in packet threshold calculation by @marten-seemann in #5316
ackhandler: store the last four skipped packets by @marten-seemann in #5322
http3: fix data race in Transport by @Glonee in #5323
qlog: add a benchmark for the ConnectionTracer by @marten-seemann in #5328
qlog: merge event category and name by @marten-seemann in #5329
http3: don't allow usage of closed Transport by @Glonee in #5324
build(deps): bump actions/setup-go from 5 to 6 by @dependabot[bot] in #5330
fix: return stream frames to pool on error paths by @lidel in #5327
ackhandler: add a benchmark for sending and acknowledging packets by @marten-seemann in #5333
implement a memory-optimized time.Time replacement by @marten-seemann in #5334
add a benchmark test for data transfers by @marten-seemann in #5335
improve connection timer logic by @marten-seemann in #5339
use synctest to make the connection tests fully deterministic by @marten-seemann in #5317
drop initial packets when the handshake is confirmed by @marten-seemann in #5354
protocol: optimize ConnectionID.String by @marten-seemann in #5351
fix missing tracing of restored transport parameters by @marten-seemann in #5349
ackhandler: track lost packets and detect spurious losses by @marten-seemann in #5355

New Contributors

@bemasc made their first contribution in #5275
@lidel made their first contribution in #5327

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.54.0...v0.55.0

`v0.54.1`

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Adoption](https://docs.renovatebot.com/merge-confidence/) | [Passing](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---|---|---| | [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) | `v0.54.0` → `v0.57.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fquic-go%2fquic-go/v0.57.0?slim=true) | ![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fquic-go%2fquic-go/v0.57.0?slim=true) | ![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fquic-go%2fquic-go/v0.54.0/v0.57.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fquic-go%2fquic-go/v0.54.0/v0.57.0?slim=true) | --- ### Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go [CVE-2025-59530](https://nvd.nist.gov/vuln/detail/CVE-2025-59530) / [GHSA-47m2-4cr7-mhcw](https://github.com/advisories/GHSA-47m2-4cr7-mhcw) / [GO-2025-4017](https://pkg.go.dev/vuln/GO-2025-4017) <details> <summary>More information</summary> #### Details Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go #### Severity Unknown #### References - [https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw](https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw) - [https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c](https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c) - [https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42](https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42) - [https://github.com/quic-go/quic-go/pull/5354](https://github.com/quic-go/quic-go/pull/5354) - [https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685](https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4017) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### quic-go: Panic occurs when queuing undecryptable packets after handshake completion [CVE-2025-59530](https://nvd.nist.gov/vuln/detail/CVE-2025-59530) / [GHSA-47m2-4cr7-mhcw](https://github.com/advisories/GHSA-47m2-4cr7-mhcw) / [GO-2025-4017](https://pkg.go.dev/vuln/GO-2025-4017) <details> <summary>More information</summary> #### Details ##### Summary A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake. ##### Impact A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. Observed in the wild with certain server implementations (e.g. Solana's Firedancer QUIC). ##### Affected Versions - All versions prior to v0.49.1 (for the 0.49 branch) - Versions v0.50.0 to v0.54.0 (inclusive) - Fixed in v0.49.1, v0.54.1, and v0.55.0 onward Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later. ##### Details For a regular 1-RTT handshake, QUIC uses three sets of keys to encrypt / decrypt QUIC packets: - Initial keys (derived from a static key and the connection ID) - Handshake keys (derived from the client's and server's key shares in the TLS handshake) - 1-RTT keys (derived when the TLS handshake finishes) On the client side, Initial keys are discarded when the first Handshake packet is sent. Handshake keys are discarded when the server's HANDSHAKE_DONE frame is received, as specified in section 4.9.2 of RFC 9001. Crucially, Initial keys are always dropped before Handshake keys in a standard handshake. Due to packet reordering, it is possible to receive a packet with a higher encryption level before the key for that encryption level has been derived. For example, the server's Handshake packets (containing, among others, the TLS certificate) might arrive before the server's Initial packet (which contains the TLS ServerHello). In that case, the client queues the Handshake packets and decrypts them as soon as it has processed the ServerHello and derived Handshake keys. After completion of the handshake, Initial and Handshake packets are not needed anymore and will be dropped. quic-go implements an [assertion](https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685) that no packets are queued after completion of the handshake. A misbehaving or malicious server can trigger this assertion, and thereby cause a panic, by sending a HANDSHAKE_DONE frame before actually completing the handshake. In that case, Handshake keys would be dropped before Initial keys. This can only happen if the server implementation is misbehaving: the server can only complete the handshake after receiving the client's TLS Finished message (which is sent in Handshake packets). ##### The Fix quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. We now discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. The fix was implemented in https://github.com/quic-go/quic-go/pull/5354. #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` #### References - [https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw](https://github.com/quic-go/quic-go/security/advisories/GHSA-47m2-4cr7-mhcw) - [https://nvd.nist.gov/vuln/detail/CVE-2025-59530](https://nvd.nist.gov/vuln/detail/CVE-2025-59530) - [https://github.com/quic-go/quic-go/pull/5354](https://github.com/quic-go/quic-go/pull/5354) - [https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c](https://github.com/quic-go/quic-go/commit/bc5bccf10fd02728eef150683eb4dfaa5c0e749c) - [https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42](https://github.com/quic-go/quic-go/commit/ce7c9ea8834b9d2ed79efa9269467f02c0895d42) - [https://github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) - [https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685](https://github.com/quic-go/quic-go/blob/v0.55.0/connection.go#L2682-L2685) - [https://pkg.go.dev/vuln/GO-2025-4017](https://pkg.go.dev/vuln/GO-2025-4017) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-47m2-4cr7-mhcw) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### quic-go HTTP/3 QPACK Header Expansion DoS [CVE-2025-64702](https://nvd.nist.gov/vuln/detail/CVE-2025-64702) / [GHSA-g754-hx8w-x2g6](https://github.com/advisories/GHSA-g754-hx8w-x2g6) / [GO-2025-4233](https://pkg.go.dev/vuln/GO-2025-4233) <details> <summary>More information</summary> #### Details ##### Summary An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an `http.Header` (used on the `http.Request` and `http.Response`, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion. ##### Impact A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction. ##### Details In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response). `http3.Server.MaxHeaderBytes` and `http3.Transport.MaxResponseHeaderBytes`, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values. RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do. ##### The Fix quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side). #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L` #### References - [https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6](https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6) - [https://nvd.nist.gov/vuln/detail/CVE-2025-64702](https://nvd.nist.gov/vuln/detail/CVE-2025-64702) - [https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8](https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8) - [https://github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-g754-hx8w-x2g6) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go [CVE-2025-64702](https://nvd.nist.gov/vuln/detail/CVE-2025-64702) / [GHSA-g754-hx8w-x2g6](https://github.com/advisories/GHSA-g754-hx8w-x2g6) / [GO-2025-4233](https://pkg.go.dev/vuln/GO-2025-4233) <details> <summary>More information</summary> #### Details HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go #### Severity Unknown #### References - [https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6](https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6) - [https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8](https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-4233) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)). </details> --- ### Release Notes <details> <summary>quic-go/quic-go (github.com/quic-go/quic-go)</summary> ### [`v0.57.0`](https://github.com/quic-go/quic-go/releases/tag/v0.57.0) [Compare Source](https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0) This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic: - Both client and server now send their respective header size constraints using the SETTINGS\_MAX\_FIELD\_SECTION\_SIZE setting: [#5431](https://github.com/quic-go/quic-go/issues/5431) - For any QPACK-related errors, the correct error code (QPACK\_DECOMPRESSION\_FAILED) is now used: [#5439](https://github.com/quic-go/quic-go/issues/5439) - QPACK header parsing is now incremental (instead of parsing all headers at once), which is \~5-10% faster and reduces allocations: [#5435](https://github.com/quic-go/quic-go/issues/5435) (and [quic-go/qpack#67](https://github.com/quic-go/qpack/pull/67)) - The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: [#5452](https://github.com/quic-go/quic-go/issues/5452) #### Breaking Changes - http3: `Transport.MaxResponseBytes` is now an `int` (before: `int64`): [#5433](https://github.com/quic-go/quic-go/issues/5433) #### Notable Fixes - qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): [#5430](https://github.com/quic-go/quic-go/issues/5430) - http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): [#5432](https://github.com/quic-go/quic-go/issues/5432) #### What's Changed - build(deps): bump golangci/golangci-lint-action from 8 to 9 by [@dependabot](https://github.com/dependabot)\[bot] in [#5426](https://github.com/quic-go/quic-go/pull/5426) - qlogwriter: fix storing of event schemas by [@marten-seemann](https://github.com/marten-seemann) in [#5430](https://github.com/quic-go/quic-go/pull/5430) - http3: send SETTINGS\_MAX\_FIELD\_SECTION\_SIZE in the SETTINGS frame by [@marten-seemann](https://github.com/marten-seemann) in [#5431](https://github.com/quic-go/quic-go/pull/5431) - http3: read response after encountering error sending the request by [@marten-seemann](https://github.com/marten-seemann) in [#5432](https://github.com/quic-go/quic-go/pull/5432) - http3: make Transport.MaxResponseBytes an int by [@marten-seemann](https://github.com/marten-seemann) in [#5433](https://github.com/quic-go/quic-go/pull/5433) - http3: add a benchmark for header parsing by [@marten-seemann](https://github.com/marten-seemann) in [#5435](https://github.com/quic-go/quic-go/pull/5435) - update qpack to v0.6.0 by [@marten-seemann](https://github.com/marten-seemann) in [#5434](https://github.com/quic-go/quic-go/pull/5434) - http3: use QPACK\_DECOMPRESSION\_FAILED for QPACK errors by [@marten-seemann](https://github.com/marten-seemann) in [#5439](https://github.com/quic-go/quic-go/pull/5439) - add documentation for Conn.NextConnection by [@marten-seemann](https://github.com/marten-seemann) in [#5442](https://github.com/quic-go/quic-go/pull/5442) - ackhandler: don’t generate an immediate ACK for the first packet by [@marten-seemann](https://github.com/marten-seemann) in [#5447](https://github.com/quic-go/quic-go/pull/5447) - don’t arm connection timer for connection ID retirement by [@marten-seemann](https://github.com/marten-seemann) in [#5449](https://github.com/quic-go/quic-go/pull/5449) - README: add nodepass to list of projects by [@yosebyte](https://github.com/yosebyte) in [#5448](https://github.com/quic-go/quic-go/pull/5448) - qlogwriter: use synctest to make tests deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5454](https://github.com/quic-go/quic-go/pull/5454) - http3: limit size of decompressed headers by [@marten-seemann](https://github.com/marten-seemann) in [#5452](https://github.com/quic-go/quic-go/pull/5452) #### New Contributors - [@yosebyte](https://github.com/yosebyte) made their first contribution in [#5448](https://github.com/quic-go/quic-go/pull/5448) **Full Changelog**: <https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0> ### [`v0.56.0`](https://github.com/quic-go/quic-go/releases/tag/v0.56.0) [Compare Source](https://github.com/quic-go/quic-go/compare/v0.55.0...v0.56.0) This release introduces qlog support for HTTP/3 ([#5367](https://github.com/quic-go/quic-go/issues/5367), [#5372](https://github.com/quic-go/quic-go/issues/5372), [#5374](https://github.com/quic-go/quic-go/issues/5374), [#5375](https://github.com/quic-go/quic-go/issues/5375), [#5376](https://github.com/quic-go/quic-go/issues/5376), [#5381](https://github.com/quic-go/quic-go/issues/5381), [#5383](https://github.com/quic-go/quic-go/issues/5383)). For this, we completely changed how connection tracing works. Instead of a general-purpose `logging.ConnectionTracer` (which we removed entirely), we now have a qlog-specific tracer ([#5356](https://github.com/quic-go/quic-go/issues/5356), [#5417](https://github.com/quic-go/quic-go/issues/5417)). quic-go users can now implement their own qlog events. It also removes the Prometheus-based metrics collection. Please comment on the tracking issue ([#5294](https://github.com/quic-go/quic-go/issues/5294)) if you rely on metrics and are interested in seeing metrics brought back in a future release. #### Notable Changes - replaced the unmaintained gojay with a custom, performance-optimized JSON encoder ([#5353](https://github.com/quic-go/quic-go/issues/5353), [#5371](https://github.com/quic-go/quic-go/issues/5371)) - quicvarint: improved panic message for numbers larger than 2^62 ([#5410](https://github.com/quic-go/quic-go/issues/5410)) #### Behind the Scenes Go 1.25 [introduced](https://go.dev/blog/synctest) support for testing concurrent code using `testing/synctest`. We've been working on transitioning tests to use synctest ([#5357](https://github.com/quic-go/quic-go/issues/5357), [#5391](https://github.com/quic-go/quic-go/issues/5391), [#5393](https://github.com/quic-go/quic-go/issues/5393), [#5397](https://github.com/quic-go/quic-go/issues/5397), [#5398](https://github.com/quic-go/quic-go/issues/5398), [#5403](https://github.com/quic-go/quic-go/issues/5403), [#5414](https://github.com/quic-go/quic-go/issues/5414), [#5415](https://github.com/quic-go/quic-go/issues/5415)), using [@MarcoPolo](https://github.com/MarcoPolo)'s simnet package to simulate a network in memory. Using synctest makes test execution more reliable (reducing flakiness). The use of a synthetic clock leads to a massive speedup; the execution time of some integration tests was reduced from 20s to less than 1ms. The work will continue for the next release (see tracking issue: [#5386](https://github.com/quic-go/quic-go/issues/5386)). #### Changelog - qlog: implement a minimal jsontext-like JSON encoder by [@marten-seemann](https://github.com/marten-seemann) in [#5353](https://github.com/quic-go/quic-go/pull/5353) - ci: remove 386 (32 bit x86) by [@MarcoPolo](https://github.com/MarcoPolo) in [#5352](https://github.com/quic-go/quic-go/pull/5352) - use synctest in more connection tests by [@marten-seemann](https://github.com/marten-seemann) in [#5357](https://github.com/quic-go/quic-go/pull/5357) - qlog: split serializiation and event definitions, remove logging abstraction by [@marten-seemann](https://github.com/marten-seemann) in [#5356](https://github.com/quic-go/quic-go/pull/5356) - qlogwriter: implement the draft-12 trace header by [@marten-seemann](https://github.com/marten-seemann) in [#5360](https://github.com/quic-go/quic-go/pull/5360) - qlogwriter: add support for event\_schemas in the trace header by [@marten-seemann](https://github.com/marten-seemann) in [#5361](https://github.com/quic-go/quic-go/pull/5361) - qlogwriter: pass the event time to Event.Encode by [@marten-seemann](https://github.com/marten-seemann) in [#5362](https://github.com/quic-go/quic-go/pull/5362) - ackhandler: fix qlogging of alarm timer expiration time by [@marten-seemann](https://github.com/marten-seemann) in [#5363](https://github.com/quic-go/quic-go/pull/5363) - qlog: privatize Encode functions of non-Event structs by [@marten-seemann](https://github.com/marten-seemann) in [#5364](https://github.com/quic-go/quic-go/pull/5364) - fix qlogging of the short header payload length by [@marten-seemann](https://github.com/marten-seemann) in [#5365](https://github.com/quic-go/quic-go/pull/5365) - ci: include OS and Go version in Codecov test report upload by [@marten-seemann](https://github.com/marten-seemann) in [#5370](https://github.com/quic-go/quic-go/pull/5370) - http3: add basic server-side qlog support by [@marten-seemann](https://github.com/marten-seemann) in [#5367](https://github.com/quic-go/quic-go/pull/5367) - jsontext: add support for encoding null by [@marten-seemann](https://github.com/marten-seemann) in [#5371](https://github.com/quic-go/quic-go/pull/5371) - qlog: use PathEndpointInfo in connection\_started by [@marten-seemann](https://github.com/marten-seemann) in [#5368](https://github.com/quic-go/quic-go/pull/5368) - http3: fix qlog encoding of frame\_parsed and frame\_created events by [@marten-seemann](https://github.com/marten-seemann) in [#5372](https://github.com/quic-go/quic-go/pull/5372) - http3: add basic client-side qlog support by [@marten-seemann](https://github.com/marten-seemann) in [#5374](https://github.com/quic-go/quic-go/pull/5374) - readme: update oss-fuzz link by [@kriztalz](https://github.com/kriztalz) in [#5377](https://github.com/quic-go/quic-go/pull/5377) - http3: qlog sent and received GOAWAY frames by [@marten-seemann](https://github.com/marten-seemann) in [#5376](https://github.com/quic-go/quic-go/pull/5376) - http3: qlog sent and received DATAGRAMs by [@marten-seemann](https://github.com/marten-seemann) in [#5375](https://github.com/quic-go/quic-go/pull/5375) - http3: move qlogging of frames into the frame parser by [@marten-seemann](https://github.com/marten-seemann) in [#5378](https://github.com/quic-go/quic-go/pull/5378) - http3: qlog sent and received SETTINGS frames by [@marten-seemann](https://github.com/marten-seemann) in [#5379](https://github.com/quic-go/quic-go/pull/5379) - http3: qlog the frame length and payload length of parsed frames by [@marten-seemann](https://github.com/marten-seemann) in [#5380](https://github.com/quic-go/quic-go/pull/5380) - http3: qlog reserved, unsupported and unknown frames by [@marten-seemann](https://github.com/marten-seemann) in [#5381](https://github.com/quic-go/quic-go/pull/5381) - http3: add the qlog event schema to trace header by [@marten-seemann](https://github.com/marten-seemann) in [#5383](https://github.com/quic-go/quic-go/pull/5383) - use default RTT (100ms) for 0-RTT if no prior estimate by [@marten-seemann](https://github.com/marten-seemann) in [#5388](https://github.com/quic-go/quic-go/pull/5388) - congestion: avoid overflows when calculating pacer budget by [@marten-seemann](https://github.com/marten-seemann) in [#5390](https://github.com/quic-go/quic-go/pull/5390) - add simnet package to simulate a net.PacketConn in memory by [@marten-seemann](https://github.com/marten-seemann) in [#5385](https://github.com/quic-go/quic-go/pull/5385) - use synctest for transport tests by [@marten-seemann](https://github.com/marten-seemann) in [#5391](https://github.com/quic-go/quic-go/pull/5391) - use simnet in CONNECTION\_CLOSE retransmission test by [@marten-seemann](https://github.com/marten-seemann) in [#5395](https://github.com/quic-go/quic-go/pull/5395) - use synctest for the packet drop test by [@marten-seemann](https://github.com/marten-seemann) in [#5393](https://github.com/quic-go/quic-go/pull/5393) - use synctest for the handshake drop test by [@marten-seemann](https://github.com/marten-seemann) in [#5397](https://github.com/quic-go/quic-go/pull/5397) - use synctest for the datagram test by [@marten-seemann](https://github.com/marten-seemann) in [#5398](https://github.com/quic-go/quic-go/pull/5398) - use synctest for the timeout tests by [@marten-seemann](https://github.com/marten-seemann) in [#5403](https://github.com/quic-go/quic-go/pull/5403) - fix flaky TestConnectionUnpackFailureDropped by [@Copilot](https://github.com/Copilot) in [#5382](https://github.com/quic-go/quic-go/pull/5382) - fix flaky TestServerTransportClose by [@Copilot](https://github.com/Copilot) in [#5407](https://github.com/quic-go/quic-go/pull/5407) - ci: use gcassert to check that quicvarint.Len is inlined by [@marten-seemann](https://github.com/marten-seemann) in [#5409](https://github.com/quic-go/quic-go/pull/5409) - quicvarint: improve panic message for numbers larger 2^62 by [@marten-seemann](https://github.com/marten-seemann) in [#5410](https://github.com/quic-go/quic-go/pull/5410) - ci: bump actions/upload-artifact from 4 to 5 by [@dependabot](https://github.com/dependabot)\[bot] in [#5411](https://github.com/quic-go/quic-go/pull/5411) - ci: update golangci-lint to v2.6.0 by [@marten-seemann](https://github.com/marten-seemann) in [#5412](https://github.com/quic-go/quic-go/pull/5412) - qlog: rename owner to initiator by [@marten-seemann](https://github.com/marten-seemann) in [#5416](https://github.com/quic-go/quic-go/pull/5416) - use synctest for the stateless reset tests by [@marten-seemann](https://github.com/marten-seemann) in [#5415](https://github.com/quic-go/quic-go/pull/5415) - ackhandler: fix qlogging of RTT values by [@marten-seemann](https://github.com/marten-seemann) in [#5418](https://github.com/quic-go/quic-go/pull/5418) - qlog: rework the ConnectionClosed event by [@marten-seemann](https://github.com/marten-seemann) in [#5417](https://github.com/quic-go/quic-go/pull/5417) - qlog: split the PTO count updates ouf of the MetricsUpdated event by [@marten-seemann](https://github.com/marten-seemann) in [#5421](https://github.com/quic-go/quic-go/pull/5421) #### New Contributors - [@kriztalz](https://github.com/kriztalz) made their first contribution in [#5377](https://github.com/quic-go/quic-go/pull/5377) - [@Copilot](https://github.com/Copilot) made their first contribution in [#5382](https://github.com/quic-go/quic-go/pull/5382) **Full Changelog**: <https://github.com/quic-go/quic-go/compare/v0.55.0...v0.56.0> ### [`v0.55.0`](https://github.com/quic-go/quic-go/releases/tag/v0.55.0) [Compare Source](https://github.com/quic-go/quic-go/compare/v0.54.1...v0.55.0) This release contains a number of improvements and fixes, and it updates the supported Go versions to 1.24 and 1.25. #### Optimizations When sending packets on a QUIC connection, RFC 9002 requires us to save the timestamp for every packet sent. In [#5344](https://github.com/quic-go/quic-go/issues/5344), we implemented a memory-optimized drop-in replacement for `time.Time`, which reduces the memory required from 24 to 8 bytes, and vastly speeds up timer calculations (which happen very frequently). #### New Features - Basic connection statistics are now exposed via `Conn.ConnectionStats`, thanks to [@MarcoPolo](https://github.com/MarcoPolo) - On some links, packet reordering can lead to spurious detections of packet loss when using the loss detection logic specified in RFC 9002. [#5355](https://github.com/quic-go/quic-go/issues/5355) adds logic detect when packet loss is detected spuriously. #### Notable Fixes - http3: don't allow usage of closed `Transport`: [#5324](https://github.com/quic-go/quic-go/issues/5324), thanks to [@Glonee](https://github.com/Glonee) - http3: fix race in concurrent `Transport.Roundtrip` calls: [#5323](https://github.com/quic-go/quic-go/issues/5323), thanks to [@Glonee](https://github.com/Glonee) - improve and fix connection timer logic: [#5339](https://github.com/quic-go/quic-go/issues/5339), thanks to [@sukunrt](https://github.com/sukunrt) for a very comprehensive code review #### Behind the Scenes We have started transitioning tests to make use of the new `synctest` package that was added in Go 1.25 (and was available as a `GOEXPERIMENT` in Go 1.24): [#5291](https://github.com/quic-go/quic-go/issues/5291), [#5296](https://github.com/quic-go/quic-go/issues/5296), [#5298](https://github.com/quic-go/quic-go/issues/5298), [#5299](https://github.com/quic-go/quic-go/issues/5299), [#5302](https://github.com/quic-go/quic-go/issues/5302), [#5304](https://github.com/quic-go/quic-go/issues/5304), [#5305](https://github.com/quic-go/quic-go/issues/5305), [#5306](https://github.com/quic-go/quic-go/issues/5306), [#5317](https://github.com/quic-go/quic-go/issues/5317). This is a lot of work, but it makes the test execution both faster and more reliable. #### Changelog - wire: implement parsing and writing of the ACK\_FREQUENCY frame by [@marten-seemann](https://github.com/marten-seemann) in [#5264](https://github.com/quic-go/quic-go/pull/5264) - wire: implement parsing and writing of the IMMEDIATE\_ACK frame by [@marten-seemann](https://github.com/marten-seemann) in [#5265](https://github.com/quic-go/quic-go/pull/5265) - fuzzing: fix timeout in frame parser by [@jannis-seemann](https://github.com/jannis-seemann) in [#5268](https://github.com/quic-go/quic-go/pull/5268) - wire: add support for the min\_ack\_delay transport parameter by [@marten-seemann](https://github.com/marten-seemann) in [#5266](https://github.com/quic-go/quic-go/pull/5266) - fix missing log statement for STREAM, DATAGRAM and ACK by [@jannis-seemann](https://github.com/jannis-seemann) in [#5273](https://github.com/quic-go/quic-go/pull/5273) - qlog: add support for ACK\_FREQUENCY and IMMEDIATE\_ACK frames by [@marten-seemann](https://github.com/marten-seemann) in [#5276](https://github.com/quic-go/quic-go/pull/5276) - ackhandler: remove unused time from receivedPacketHandler.ReceivedPacket by [@marten-seemann](https://github.com/marten-seemann) in [#5277](https://github.com/quic-go/quic-go/pull/5277) - quicvarint: extend benchmark to use quicvarint.Reader by [@marten-seemann](https://github.com/marten-seemann) in [#5278](https://github.com/quic-go/quic-go/pull/5278) - quicvarint: tolerate empty reads of the underlying io.Reader by [@bemasc](https://github.com/bemasc) in [#5275](https://github.com/quic-go/quic-go/pull/5275) - http3: fix documentation for Server.ServeListener by [@WeidiDeng](https://github.com/WeidiDeng) in [#5282](https://github.com/quic-go/quic-go/pull/5282) - expose connection stats via Conn.ConnectionStats by [@marten-seemann](https://github.com/marten-seemann) in [#5281](https://github.com/quic-go/quic-go/pull/5281) - ackhandler: generalize check for missing packets below threshold by [@marten-seemann](https://github.com/marten-seemann) in [#5260](https://github.com/quic-go/quic-go/pull/5260) - update to Go 1.25, drop Go 1.23, use go tool for gomock by [@marten-seemann](https://github.com/marten-seemann) in [#5283](https://github.com/quic-go/quic-go/pull/5283) - replace `interface{}` with `any` by [@marten-seemann](https://github.com/marten-seemann) in [#5290](https://github.com/quic-go/quic-go/pull/5290) - use testing.B.Loop in all benchmark tests by [@marten-seemann](https://github.com/marten-seemann) in [#5285](https://github.com/quic-go/quic-go/pull/5285) - build(deps): bump actions/checkout from 4 to 5 by [@dependabot](https://github.com/dependabot)\[bot] in [#5293](https://github.com/quic-go/quic-go/pull/5293) - use synctest to make receive stream tests fully deterministc by [@marten-seemann](https://github.com/marten-seemann) in [#5291](https://github.com/quic-go/quic-go/pull/5291) - use synctest to make streams map tests fully deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5296](https://github.com/quic-go/quic-go/pull/5296) - ci: cache the Go build cache for cross-compilation workflow by [@marten-seemann](https://github.com/marten-seemann) in [#5297](https://github.com/quic-go/quic-go/pull/5297) - ci: fix cache save and restore logic for cross compile workflow by [@marten-seemann](https://github.com/marten-seemann) in [#5300](https://github.com/quic-go/quic-go/pull/5300) - restore previously deleted TestStreamsMapConcurrent test by [@marten-seemann](https://github.com/marten-seemann) in [#5301](https://github.com/quic-go/quic-go/pull/5301) - use synctest to make the send queue tests fully deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5302](https://github.com/quic-go/quic-go/pull/5302) - use synctest to make the send stream tests fully deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5298](https://github.com/quic-go/quic-go/pull/5298) - ci: use `go mod tidy -diff` to check for tidied `go.mod` by [@marten-seemann](https://github.com/marten-seemann) in [#5303](https://github.com/quic-go/quic-go/pull/5303) - use synctest to make the datagram queue tests fully deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5305](https://github.com/quic-go/quic-go/pull/5305) - utils: use synctest to make the timer tests fully deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5306](https://github.com/quic-go/quic-go/pull/5306) - ackhandler: fix resetting of packet.isPathProbePacket by [@marten-seemann](https://github.com/marten-seemann) in [#5310](https://github.com/quic-go/quic-go/pull/5310) - ackhandler: use an iterator to process received packet ranges by [@marten-seemann](https://github.com/marten-seemann) in [#5309](https://github.com/quic-go/quic-go/pull/5309) - ackhandler: use a typed mock for the ECNHandler by [@marten-seemann](https://github.com/marten-seemann) in [#5311](https://github.com/quic-go/quic-go/pull/5311) - ackhandler: immediately clear ackedPacket slice after processing ACK by [@marten-seemann](https://github.com/marten-seemann) in [#5313](https://github.com/quic-go/quic-go/pull/5313) - ci: improve cache key generation for the cross compilation job by [@marten-seemann](https://github.com/marten-seemann) in [#5315](https://github.com/quic-go/quic-go/pull/5315) - ci: fix cache paths in cross compile workflow by [@marten-seemann](https://github.com/marten-seemann) in [#5318](https://github.com/quic-go/quic-go/pull/5318) - ackhandler: avoid storing packet number in packet struct by [@marten-seemann](https://github.com/marten-seemann) in [#5312](https://github.com/quic-go/quic-go/pull/5312) - ackhandler: store skipped packet numbers separately by [@marten-seemann](https://github.com/marten-seemann) in [#5314](https://github.com/quic-go/quic-go/pull/5314) - ackhandler: account for skipped packets in packet threshold calculation by [@marten-seemann](https://github.com/marten-seemann) in [#5316](https://github.com/quic-go/quic-go/pull/5316) - ackhandler: store the last four skipped packets by [@marten-seemann](https://github.com/marten-seemann) in [#5322](https://github.com/quic-go/quic-go/pull/5322) - http3: fix data race in Transport by [@Glonee](https://github.com/Glonee) in [#5323](https://github.com/quic-go/quic-go/pull/5323) - qlog: add a benchmark for the ConnectionTracer by [@marten-seemann](https://github.com/marten-seemann) in [#5328](https://github.com/quic-go/quic-go/pull/5328) - qlog: merge event category and name by [@marten-seemann](https://github.com/marten-seemann) in [#5329](https://github.com/quic-go/quic-go/pull/5329) - http3: don't allow usage of closed Transport by [@Glonee](https://github.com/Glonee) in [#5324](https://github.com/quic-go/quic-go/pull/5324) - build(deps): bump actions/setup-go from 5 to 6 by [@dependabot](https://github.com/dependabot)\[bot] in [#5330](https://github.com/quic-go/quic-go/pull/5330) - fix: return stream frames to pool on error paths by [@lidel](https://github.com/lidel) in [#5327](https://github.com/quic-go/quic-go/pull/5327) - ackhandler: add a benchmark for sending and acknowledging packets by [@marten-seemann](https://github.com/marten-seemann) in [#5333](https://github.com/quic-go/quic-go/pull/5333) - implement a memory-optimized time.Time replacement by [@marten-seemann](https://github.com/marten-seemann) in [#5334](https://github.com/quic-go/quic-go/pull/5334) - add a benchmark test for data transfers by [@marten-seemann](https://github.com/marten-seemann) in [#5335](https://github.com/quic-go/quic-go/pull/5335) - improve connection timer logic by [@marten-seemann](https://github.com/marten-seemann) in [#5339](https://github.com/quic-go/quic-go/pull/5339) - use synctest to make the connection tests fully deterministic by [@marten-seemann](https://github.com/marten-seemann) in [#5317](https://github.com/quic-go/quic-go/pull/5317) - drop initial packets when the handshake is confirmed by [@marten-seemann](https://github.com/marten-seemann) in [#5354](https://github.com/quic-go/quic-go/pull/5354) - protocol: optimize ConnectionID.String by [@marten-seemann](https://github.com/marten-seemann) in [#5351](https://github.com/quic-go/quic-go/pull/5351) - fix missing tracing of restored transport parameters by [@marten-seemann](https://github.com/marten-seemann) in [#5349](https://github.com/quic-go/quic-go/pull/5349) - ackhandler: track lost packets and detect spurious losses by [@marten-seemann](https://github.com/marten-seemann) in [#5355](https://github.com/quic-go/quic-go/pull/5355) #### New Contributors - [@bemasc](https://github.com/bemasc) made their first contribution in [#5275](https://github.com/quic-go/quic-go/pull/5275) - [@lidel](https://github.com/lidel) made their first contribution in [#5327](https://github.com/quic-go/quic-go/pull/5327) **Full Changelog**: <https://github.com/quic-go/quic-go/compare/v0.54.0...v0.55.0> ### [`v0.54.1`](https://github.com/quic-go/quic-go/compare/v0.54.0...v0.54.1) [Compare Source](https://github.com/quic-go/quic-go/compare/v0.54.0...v0.54.1) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit

2025-11-05 21:44:54 +00:00

chore(deps): update module github.com/quic-go/quic-go to v0.54.1 [security]

continuous-integration/drone/push Build was killed

Details

99aa7151d1

renovate-bot force-pushed renovate/go-github.com-quic-go-quic-go-vulnerability from 99aa7151d1

continuous-integration/drone/push Build was killed

Details

to 33a1850d55

continuous-integration/drone/push Build was killed

Details

2025-12-29 04:35:03 +00:00

Compare

renovate-bot changed title from ~~chore(deps): update module github.com/quic-go/quic-go to v0.54.1 [security]~~ to chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security]

2025-12-29 04:35:05 +00:00

renovate-bot commented

2025-12-29 04:35:06 +00:00

Author

Collaborator

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

1 additional dependency was updated

Details:

Package	Change
`github.com/quic-go/qpack`	`v0.5.1` -> `v0.6.0`

### ℹ️ Artifact update notice ##### File name: go.mod In order to perform the update(s) described in the table above, Renovate ran the `go get` command, which resulted in the following additional change(s): - 1 additional dependency was updated Details: | **Package** | **Change** | | :------------------------- | :------------------- | | `github.com/quic-go/qpack` | `v0.5.1` -> `v0.6.0` |

renovate-bot force-pushed renovate/go-github.com-quic-go-quic-go-vulnerability from 33a1850d55

continuous-integration/drone/push Build was killed

Details

to afe752142c

continuous-integration/drone/push Build was killed

Details

2026-01-15 22:03:31 +00:00

Compare