AIKIDO-2024-10504
github.com/quic-go/quic-go is vulnerable to Insufficient Verification of Data Authenticity
65
Medium Risk
This Affects:
github.com/quic-go/quic-goTL;DR
Affected versions of quic-go are vulnerable to a disruption attack where an off-path attacker can inject a forged ICMP "Packet Too Large" message. Because quic-go uses IP_PMTUDISC_DO, the kernel returns a "message too large" error when attempting to send packets exceeding the spoofed MTU. By setting the MTU below the QUIC minimum of 1200 bytes, the attacker can disrupt the connection even after the handshake, bypassing fallback mechanisms like HTTP over TCP. The attack requires the attacker to know both the client’s and server’s IP and port information.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
github.com/quic-go/quic-go is vulnerable to Insufficient Verification of Data Authenticity in versions 0.5.0 - 0.48.1.
How to fix this
Upgrade the github.com/quic-go/quic-go library to the patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant