Skip to content

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] #1014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate-sh-app wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] #1014

renovate-sh-app wants to merge 1 commit into from
+8 −10

Conversation

@renovate-sh-app
Copy link

@renovate-sh-app renovate-sh-app bot commented Oct 23, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/quic-go/quic-go v0.54.0 -> v0.57.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-59530

Summary

A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake.

Impact

A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. Observed in the wild with certain server implementations (e.g. Solana's Firedancer QUIC).

Affected Versions

  • All versions prior to v0.49.1 (for the 0.49 branch)
  • Versions v0.50.0 to v0.54.0 (inclusive)
  • Fixed in v0.49.1, v0.54.1, and v0.55.0 onward

Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later.

Details

For a regular 1-RTT handshake, QUIC uses three sets of keys to encrypt / decrypt QUIC packets:

  • Initial keys (derived from a static key and the connection ID)
  • Handshake keys (derived from the client's and server's key shares in the TLS handshake)
  • 1-RTT keys (derived when the TLS handshake finishes)

On the client side, Initial keys are discarded when the first Handshake packet is sent. Handshake keys are discarded when the server's HANDSHAKE_DONE frame is received, as specified in section 4.9.2 of RFC 9001. Crucially, Initial keys are always dropped before Handshake keys in a standard handshake.

Due to packet reordering, it is possible to receive a packet with a higher encryption level before the key for that encryption level has been derived. For example, the server's Handshake packets (containing, among others, the TLS certificate) might arrive before the server's Initial packet (which contains the TLS ServerHello). In that case, the client queues the Handshake packets and decrypts them as soon as it has processed the ServerHello and derived Handshake keys.

After completion of the handshake, Initial and Handshake packets are not needed anymore and will be dropped. quic-go implements an assertion that no packets are queued after completion of the handshake.

A misbehaving or malicious server can trigger this assertion, and thereby cause a panic, by sending a HANDSHAKE_DONE frame before actually completing the handshake. In that case, Handshake keys would be dropped before Initial keys.

This can only happen if the server implementation is misbehaving: the server can only complete the handshake after receiving the client's TLS Finished message (which is sent in Handshake packets).

The Fix

quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. We now discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. The fix was implemented in https://github.com/quic-go/quic-go/pull/5354.

CVE-2025-64702

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

quic-go: Panic occurs when queuing undecryptable packets after handshake completion

CVE-2025-59530 / GHSA-47m2-4cr7-mhcw / GO-2025-4017

More information

Details

Summary

A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE_DONE frame during the handshake.

Impact

A misbehaving or malicious server can cause a denial-of-service (DoS) attack on the quic-go client by triggering an assertion failure, leading to a process crash. This requires no authentication and can be exploited during the handshake phase. Observed in the wild with certain server implementations (e.g. Solana's Firedancer QUIC).

Affected Versions
  • All versions prior to v0.49.1 (for the 0.49 branch)
  • Versions v0.50.0 to v0.54.0 (inclusive)
  • Fixed in v0.49.1, v0.54.1, and v0.55.0 onward

Users are recommended to upgrade to the latest patched version in their respective maintenance branch or to v0.55.0 or later.

Details

For a regular 1-RTT handshake, QUIC uses three sets of keys to encrypt / decrypt QUIC packets:

  • Initial keys (derived from a static key and the connection ID)
  • Handshake keys (derived from the client's and server's key shares in the TLS handshake)
  • 1-RTT keys (derived when the TLS handshake finishes)

On the client side, Initial keys are discarded when the first Handshake packet is sent. Handshake keys are discarded when the server's HANDSHAKE_DONE frame is received, as specified in section 4.9.2 of RFC 9001. Crucially, Initial keys are always dropped before Handshake keys in a standard handshake.

Due to packet reordering, it is possible to receive a packet with a higher encryption level before the key for that encryption level has been derived. For example, the server's Handshake packets (containing, among others, the TLS certificate) might arrive before the server's Initial packet (which contains the TLS ServerHello). In that case, the client queues the Handshake packets and decrypts them as soon as it has processed the ServerHello and derived Handshake keys.

After completion of the handshake, Initial and Handshake packets are not needed anymore and will be dropped. quic-go implements an assertion that no packets are queued after completion of the handshake.

A misbehaving or malicious server can trigger this assertion, and thereby cause a panic, by sending a HANDSHAKE_DONE frame before actually completing the handshake. In that case, Handshake keys would be dropped before Initial keys.

This can only happen if the server implementation is misbehaving: the server can only complete the handshake after receiving the client's TLS Finished message (which is sent in Handshake packets).

The Fix

quic-go needs to be able to handle misbehaving server implementations, including those that prematurely send a HANDSHAKE_DONE frame. We now discard Initial keys when receiving a HANDSHAKE_DONE frame, thereby correctly handling premature HANDSHAKE_DONE frames. The fix was implemented in https://github.com/quic-go/quic-go/pull/5354.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go

CVE-2025-59530 / GHSA-47m2-4cr7-mhcw / GO-2025-4017

More information

Details

Panic occurs when queuing undecryptable packets after handshake completion in github.com/quic-go/quic-go

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.57.0

Compare Source

This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

  • Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #​5431
  • For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #​5439
  • QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #​5435 (and quic-go/qpack#67)
  • The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #​5452

 

Breaking Changes

  • http3: Transport.MaxResponseBytes is now an int (before: int64): #​5433
     

Notable Fixes

  • qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #​5430
  • http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #​5432

What's Changed

New Contributors

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

Compare Source

This release introduces qlog support for HTTP/3 (#​5367, #​5372, #​5374, #​5375, #​5376, #​5381, #​5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#​5356, #​5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#​5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

  • replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#​5353, #​5371)
  • quicvarint: improved panic message for numbers larger than 2^62 (#​5410)

Behind the Scenes

Go 1.25 introduced support for testing concurrent code using testing/synctest. We've been working on transitioning tests to use synctest (#​5357, #​5391, #​5393, #​5397, #​5398, #​5403, #​5414, #​5415), using @​MarcoPolo's simnet package to simulate a network in memory.

Using synctest makes test execution more reliable (reducing flakiness). The use of a synthetic clock leads to a massive speedup; the execution time of some integration tests was reduced from 20s to less than 1ms. The work will continue for the next release (see tracking issue: #​5386).

Changelog

New Contributors

Full Changelog: quic-go/quic-go@v0.55.0...v0.56.0

v0.55.0

Compare Source

This release contains a number of improvements and fixes, and it updates the supported Go versions to 1.24 and 1.25.

Optimizations

When sending packets on a QUIC connection, RFC 9002 requires us to save the timestamp for every packet sent. In #​5344, we implemented a memory-optimized drop-in replacement for time.Time, which reduces the memory required from 24 to 8 bytes, and vastly speeds up timer calculations (which happen very frequently).

New Features

  • Basic connection statistics are now exposed via Conn.ConnectionStats, thanks to @​MarcoPolo
  • On some links, packet reordering can lead to spurious detections of packet loss when using the loss detection logic specified in RFC 9002. #​5355 adds logic detect when packet loss is detected spuriously.

Notable Fixes

  • http3: don't allow usage of closed Transport: #​5324, thanks to @​Glonee
  • http3: fix race in concurrent Transport.Roundtrip calls: #​5323, thanks to @​Glonee
  • improve and fix connection timer logic: #​5339, thanks to @​sukunrt for a very comprehensive code review

Behind the Scenes

We have started transitioning tests to make use of the new synctest package that was added in Go 1.25 (and was available as a GOEXPERIMENT in Go 1.24): #​5291, #​5296, #​5298, #​5299, #​5302, #​5304, #​5305, #​5306, #​5317. This is a lot of work, but it makes the test execution both faster and more reliable.

Changelog

New Contributors

Full Changelog: quic-go/quic-go@v0.54.0...v0.55.0

v0.54.1

Compare Source

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) October 23, 2025 12:18
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch from caa11e3 to 8d46a53 Compare October 28, 2025 18:18
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch 3 times, most recently from 01be6c7 to edff47b Compare November 6, 2025 00:19
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch 3 times, most recently from abad47c to 171772d Compare November 17, 2025 03:17
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch 4 times, most recently from f24727e to 0cbd7e2 Compare December 1, 2025 04:43
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch 2 times, most recently from 9a06df0 to cf4d6f6 Compare December 8, 2025 22:32
@renovate-sh-app
chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [sec…
188557e 
…urity]

| datasource | package                    | from    | to      |
| ---------- | -------------------------- | ------- | ------- |
| go         | github.com/quic-go/quic-go | v0.54.0 | v0.57.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-quic-go-quic-go-vulnerability branch from cf4d6f6 to 188557e Compare December 11, 2025 19:34
@renovate-sh-app renovate-sh-app bot changed the title chore(deps): update module github.com/quic-go/quic-go to v0.54.1 [security] chore(deps): update module github.com/quic-go/quic-go to v0.57.0 [security] Dec 11, 2025
@renovate-sh-app
Copy link
Author

renovate-sh-app bot commented Dec 11, 2025

ℹ Artifact update notice

File name: internal/tools/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/quic-go/qpack v0.5.1 -> v0.6.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants