Skip to content

security: update quic-go to v0.57.0 to fix GO-2025-4233#149

Closed
jenxie wants to merge 1 commit intovoxpupuli:mainfrom
jenxie:fix/security-vuln-4233
Closed

security: update quic-go to v0.57.0 to fix GO-2025-4233#149
jenxie wants to merge 1 commit intovoxpupuli:mainfrom
jenxie:fix/security-vuln-4233

Conversation

@jenxie
Copy link
Copy Markdown
Contributor

@jenxie jenxie commented Mar 20, 2026
edited
Loading

Updated quic-go to v0.57.0 to address GO-2025-4233.
While this dashboard is typically internal, this update improves overall security posture and clears vulnerability scans.

govulncheck ./...

=== Symbol Results ===

Vulnerability #1: GO-2025-4233
    HTTP/3 QPACK Header Expansion DoS in github.com/quic-go/quic-go
  More info: https://pkg.go.dev/vuln/GO-2025-4233
  Module: github.com/quic-go/quic-go
    Found in: github.com/quic-go/quic-go@v0.54.0
    Fixed in: github.com/quic-go/quic-go@v0.57.0
    Example traces found:
      #1: puppetdb/client.go:50:14: puppetdb.client.call calls fmt.Printf, which eventually calls http3.ConfigureTLSConfig
      #2: handler/core.go:17:27: handler.NewErrorResponse calls http3.Error.Error

Updated with go get github.com/quic-go/quic-go@v0.57.0 (which bumps go to 1.24) followed by a go mod tidy

Tested with make develop-frontend, go run . and added an agent to check functionality.

@jenxie jenxie force-pushed the fix/security-vuln-4233 branch from a32dbdc to 47b4484 Compare March 20, 2026 21:34
@jenxie jenxie force-pushed the fix/security-vuln-4233 branch from 47b4484 to 7c7c2b1 Compare March 20, 2026 21:36
@jenxie jenxie closed this Mar 20, 2026
@jenxie jenxie deleted the fix/security-vuln-4233 branch March 20, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jenxie