RUSTSEC-2026-0037: Denial of service in Quinn endpoints #1761
Description
| Details | |
|---|---|
| Package | quinn-proto |
| Version | 0.11.13 |
| URL | quinn-rs/quinn#2559 |
| Patched Versions | >=0.11.14 |
| Unaffected Versions | <0.5.0 |
| Aliases | GHSA-6xvm-j4wr-6v98 |
Receiving QUIC transport parameters containing invalid values could lead to a panic.
Unfortunately the maintainers did not properly assess usage of unwrap() calls in the
transport parameters parsing code, and we did not have sufficient fuzzing coverage to find this
issue. We have since added a fuzzing target to cover this code path.