Listen to this Post
An attacker can trigger a denial-of-service (DoS) condition in quic‑go’s HTTP/3 client and server by sending a specially crafted QPACK‑encoded `HEADERS` frame that decodes into an extremely large trailer field section. The implementation builds an `http.Header` for the corresponding `http.Request` or http.Response, but while it enforces a limit on the size of the compressed `HEADERS` frame (1 MB default for servers, 10 MB for clients), it does not limit the size of the decoded field section. By using QPACK static table entries with long names and/or values, an attacker can cause the decoded trailers to expand up to about 50× the encoded size. The endpoint then tries to allocate memory for the entire decoded header, leading to memory exhaustion, crashes, or resource exhaustion. This flaw violates the requirements of RFC 9114, which mandates that endpoints enforce decoded field section size limits via SETTINGS. The vulnerability is symmetric – both servers and clients are affected because they construct headers in the same way.
DailyCVE Form:
Platform: quic‑go
Version: <= 0.59.0
Vulnerability: Memory Exhaustion
Severity: Medium (5.3)
date: 2026‑06‑03
Prediction: 2026‑06‑03 (v0.59.1)
What Undercode Say:
Analytics:
Check current quic‑go version in go.mod grep "github.com/quic-go/quic-go" go.mod Update to the patched release go get github.com/quic-go/[email protected]
Exploit:
An attacker sends a QPACK‑encoded `HEADERS` frame that contains a trailer field section with many unique field names or extremely large values. Because quic‑go does not cap the decoded size, the receiver attempts to allocate memory for the entire expanded trailer block, quickly exhausting available memory and crashing the process.
Protection:
Upgrade to quic‑go v0.59.1 or later. The fix enforces RFC 9114 decoded field section limits for trailers by incrementally decoding QPACK entries and aborting the stream as soon as the limit is exceeded.
Impact:
Successful exploitation leads to denial‑of‑service (memory exhaustion), causing crashes or severe resource depletion on both HTTP/3 servers and clients.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
