Update module github.com/quic-go/quic-go to v0.57.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/quic-go/quic-go	v0.55.0 -> v0.57.0

---

quic-go HTTP/3 QPACK Header Expansion DoS

CVE-2025-64702 / GHSA-g754-hx8w-x2g6

More information

Details

Summary

An attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large header field section (many unique header names and/or large values). The implementation builds an http.Header (used on the http.Request and http.Response, respectively), while only enforcing limits on the size of the (QPACK-compressed) HEADERS frame, but not on the decoded header, leading to memory exhaustion.

Impact

A misbehaving or malicious peer can cause a denial-of-service (DoS) attack on quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or exhaustion. It affects both servers and clients due to symmetric header construction.

Details

In HTTP/3, headers are compressed using QPACK (RFC 9204). quic-go's HTTP/3 server (and client) decodes the QPACK-encoded HEADERS frame into header fields, then constructs an http.Request (or response).

http3.Server.MaxHeaderBytes and http3.Transport.MaxResponseHeaderBytes, respectively, limit encoded HEADERS frame size (default: 1 MB server, 10 MB client), but not decoded size. A maliciously crafted HEADERS frame can expand to ~50x the encoded size using QPACK static table entries with long names / values.

RFC 9114 requires enforcing decoded field section size limits via SETTINGS, which quic-go did not do.

The Fix

quic-go now enforces RFC 9114 decoded field section size limits, sending SETTINGS_MAX_FIELD_SECTION_SIZE and using incremental QPACK decoding to check the header size after each entry, aborting early on violations with HTTP 431 (on the server side) and stream reset (on the client side).

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6
• https://nvd.nist.gov/vuln/detail/CVE-2025-64702
• https://github.com/quic-go/quic-go/commit/5b2d2129f8315da41e01eff0a847ab38a34e83a8
• https://github.com/quic-go/quic-go

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

quic-go/quic-go (github.com/quic-go/quic-go)

v0.57.0

Compare Source

This release reworks the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #​5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #​5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #​5435 (and quic-go/qpack#67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #​5452

 

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #​5433
   

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #​5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #​5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in #​5426
• qlogwriter: fix storing of event schemas by @​marten-seemann in #​5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @​marten-seemann in #​5431
• http3: read response after encountering error sending the request by @​marten-seemann in #​5432
• http3: make Transport.MaxResponseBytes an int by @​marten-seemann in #​5433
• http3: add a benchmark for header parsing by @​marten-seemann in #​5435
• update qpack to v0.6.0 by @​marten-seemann in #​5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @​marten-seemann in #​5439
• add documentation for Conn.NextConnection by @​marten-seemann in #​5442
• ackhandler: don’t generate an immediate ACK for the first packet by @​marten-seemann in #​5447
• don’t arm connection timer for connection ID retirement by @​marten-seemann in #​5449
• README: add nodepass to list of projects by @​yosebyte in #​5448
• qlogwriter: use synctest to make tests deterministic by @​marten-seemann in #​5454
• http3: limit size of decompressed headers by @​marten-seemann in #​5452

New Contributors

• @​yosebyte made their first contribution in #​5448

Full Changelog: quic-go/quic-go@v0.56.0...v0.57.0

v0.56.0

Compare Source

This release introduces qlog support for HTTP/3 (#​5367, #​5372, #​5374, #​5375, #​5376, #​5381, #​5383).

For this, we completely changed how connection tracing works. Instead of a general-purpose logging.ConnectionTracer (which we removed entirely), we now have a qlog-specific tracer (#​5356, #​5417). quic-go users can now implement their own qlog events.

It also removes the Prometheus-based metrics collection. Please comment on the tracking issue (#​5294) if you rely on metrics and are interested in seeing metrics brought back in a future release.

Notable Changes

• replaced the unmaintained gojay with a custom, performance-optimized JSON encoder (#​5353, #​5371)
• quicvarint: improved panic message for numbers larger than 2^62 (#​5410)

Behind the Scenes

Go 1.25 introduced support for testing concurrent code using testing/synctest. We've been working on transitioning tests to use synctest (#​5357, #​5391, #​5393, #​5397, #​5398, #​5403, #​5414, #​5415), using @​MarcoPolo's simnet package to simulate a network in memory.

Using synctest makes test execution more reliable (reducing flakiness). The use of a synthetic clock leads to a massive speedup; the execution time of some integration tests was reduced from 20s to less than 1ms. The work will continue for the next release (see tracking issue: #​5386).

Changelog

• qlog: implement a minimal jsontext-like JSON encoder by @​marten-seemann in #​5353
• ci: remove 386 (32 bit x86) by @​MarcoPolo in #​5352
• use synctest in more connection tests by @​marten-seemann in #​5357
• qlog: split serializiation and event definitions, remove logging abstraction by @​marten-seemann in #​5356
• qlogwriter: implement the draft-12 trace header by @​marten-seemann in #​5360
• qlogwriter: add support for event_schemas in the trace header by @​marten-seemann in #​5361
• qlogwriter: pass the event time to Event.Encode by @​marten-seemann in #​5362
• ackhandler: fix qlogging of alarm timer expiration time by @​marten-seemann in #​5363
• qlog: privatize Encode functions of non-Event structs by @​marten-seemann in #​5364
• fix qlogging of the short header payload length by @​marten-seemann in #​5365
• ci: include OS and Go version in Codecov test report upload by @​marten-seemann in #​5370
• http3: add basic server-side qlog support by @​marten-seemann in #​5367
• jsontext: add support for encoding null by @​marten-seemann in #​5371
• qlog: use PathEndpointInfo in connection_started by @​marten-seemann in #​5368
• http3: fix qlog encoding of frame_parsed and frame_created events by @​marten-seemann in #​5372
• http3: add basic client-side qlog support by @​marten-seemann in #​5374
• readme: update oss-fuzz link by @​kriztalz in #​5377
• http3: qlog sent and received GOAWAY frames by @​marten-seemann in #​5376
• http3: qlog sent and received DATAGRAMs by @​marten-seemann in #​5375
• http3: move qlogging of frames into the frame parser by @​marten-seemann in #​5378
• http3: qlog sent and received SETTINGS frames by @​marten-seemann in #​5379
• http3: qlog the frame length and payload length of parsed frames by @​marten-seemann in #​5380
• http3: qlog reserved, unsupported and unknown frames by @​marten-seemann in #​5381
• http3: add the qlog event schema to trace header by @​marten-seemann in #​5383
• use default RTT (100ms) for 0-RTT if no prior estimate by @​marten-seemann in #​5388
• congestion: avoid overflows when calculating pacer budget by @​marten-seemann in #​5390
• add simnet package to simulate a net.PacketConn in memory by @​marten-seemann in #​5385
• use synctest for transport tests by @​marten-seemann in #​5391
• use simnet in CONNECTION_CLOSE retransmission test by @​marten-seemann in #​5395
• use synctest for the packet drop test by @​marten-seemann in #​5393
• use synctest for the handshake drop test by @​marten-seemann in #​5397
• use synctest for the datagram test by @​marten-seemann in #​5398
• use synctest for the timeout tests by @​marten-seemann in #​5403
• fix flaky TestConnectionUnpackFailureDropped by @​Copilot in #​5382
• fix flaky TestServerTransportClose by @​Copilot in #​5407
• ci: use gcassert to check that quicvarint.Len is inlined by @​marten-seemann in #​5409
• quicvarint: improve panic message for numbers larger 2^62 by @​marten-seemann in #​5410
• ci: bump actions/upload-artifact from 4 to 5 by @​dependabot[bot] in #​5411
• ci: update golangci-lint to v2.6.0 by @​marten-seemann in #​5412
• qlog: rename owner to initiator by @​marten-seemann in #​5416
• use synctest for the stateless reset tests by @​marten-seemann in #​5415
• ackhandler: fix qlogging of RTT values by @​marten-seemann in #​5418
• qlog: rework the ConnectionClosed event by @​marten-seemann in #​5417
• qlog: split the PTO count updates ouf of the MetricsUpdated event by @​marten-seemann in #​5421

New Contributors

• @​kriztalz made their first contribution in #​5377
• @​Copilot made their first contribution in #​5382

Full Changelog: quic-go/quic-go@v0.55.0...v0.56.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/quic-go/qpack	v0.5.1 -> v0.6.0
golang.org/x/time	v0.11.0 -> v0.12.0