6.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49295

CVE-2023-49295: quic-go's path validation mechanism can be exploited to cause denial of service

An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2023-12-18-exploiting-quics-path-validation/

There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-49295

CVE-2023-49295:

6.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/quic-go/quic-go	go	= 0.40.0	0.40.1
github.com/quic-go/quic-go	go	>= 0.39.0, < 0.39.4	0.39.4
github.com/quic-go/quic-go	go	>= 0.38.0, < 0.38.2	0.38.2
github.com/quic-go/quic-go	go	< 0.37.7	0.37.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uncontrolled queuing of PATH_RESPONSE frames. The commit diff shows the vulnerable QueueControlFrame function previously appended all PATH_RESPONSE frames to an unbounded slice (controlFrames). Attackers could exploit this by sending excessive PATH_CHALLENGE frames while manipulating congestion control, causing PATH_RESPONSE accumulation. The patch introduces a dedicated pathResponses slice with a 256-item limit in QueueControlFrame, confirming this was the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-49295: quic-go's path validation mechanism can be exploited to cause denial of service

CVE-2023-49295:

6.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-49295: quic-go's path validation mechanism can be exploited to cause denial of service

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

6.4

6.4

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI