Skip to content

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] #237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] #237

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Dec 22, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/quic-go/quic-go v0.54.1 -> v0.57.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-64702

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go

CVE-2025-64702 / GHSA-g754-hx8w-x2g6 / GO-2025-4233

More information

Details

HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

quic-go HTTP/3 QPACK Header Expansion DoS

CVE-2025-64702 / GHSA-g754-hx8w-x2g6 / GO-2025-4233

More information

Details

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.57.0

Compare Source

This release reworks the HTTP/3 header processing logic:

  • Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #​5431
  • For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #​5439
  • QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #​5435 (and quic-go/qpack#67)
  • The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #​5452

 

Breaking Changes

  • http3: Transport.MaxResponseBytes is now an int (before: int64): #​5433
     

Notable Fixes

  • qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #​5430
  • http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #​5432

What's Changed

New Contributors

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

Compare Source

This release introduces qlog support for HTTP/3 (#​5367, #​5372, #​5374, #​5375, #​5376, #​5381, #​5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#​5356, #​5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#​5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

  • replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#​5353, #​5371)
  • quicvarint: improved panic message for numbers larger than 2^62 (#​5410)

Behind the Scenes

Go 1.25 introduced support for testing concurrent code using testing/synctest. We've been working on transitioning tests to use synctest (#​5357, #​5391, #​5393, #​5397, #​5398, #​5403, #​5414, #​5415), using @​MarcoPolo's simnet package to simulate a network in memory.

Using synctest makes test execution more reliable (reducing flakiness). The use of a synthetic clock leads to a massive speedup; the execution time of some integration tests was reduced from 20s to less than 1ms. The work will continue for the next release (see tracking issue: #​5386).

Changelog

New Contributors

Full Changelog: quic-go/quic-go@v0.55.0...v0.56.0

v0.55.0

Compare Source

This release contains a number of improvements and fixes, and it updates the supported Go versions to 1.24 and 1.25.

Optimizations

When sending packets on a QUIC connection, RFC 9002 requires us to save the timestamp for every packet sent. In #​5344, we implemented a memory-optimized drop-in replacement for time.Time, which reduces the memory required from 24 to 8 bytes, and vastly speeds up timer calculations (which happen very frequently).

New Features

  • Basic connection statistics are now exposed via Conn.ConnectionStats, thanks to @​MarcoPolo
  • On some links, packet reordering can lead to spurious detections of packet loss when using the loss detection logic specified in RFC 9002. #​5355 adds logic detect when packet loss is detected spuriously.

Notable Fixes

  • http3: don't allow usage of closed Transport: #​5324, thanks to @​Glonee
  • http3: fix race in concurrent Transport.Roundtrip calls: #​5323, thanks to @​Glonee
  • improve and fix connection timer logic: #​5339, thanks to @​sukunrt for a very comprehensive code review

Behind the Scenes

We have started transitioning tests to make use of the new synctest package that was added in Go 1.25 (and was available as a GOEXPERIMENT in Go 1.24): #​5291, #​5296, #​5298, #​5299, #​5302, #​5304, #​5305, #​5306, #​5317. This is a lot of work, but it makes the test execution both faster and more reliable.

Changelog

New Contributors

Full Changelog: quic-go/quic-go@v0.54.0...v0.55.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner December 22, 2025 17:20
@renovate
Copy link
Contributor Author

renovate bot commented Dec 22, 2025

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/quic-go/qpack v0.5.1 -> v0.6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CVE security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant