quic-go Excessive Memory Allocation Vulnerability in HTTP/3 QPACK Header Processing

A denial-of-service vulnerability has been identified in quic-go, a QUIC protocol implementation in Go, affecting versions through 0.56.0. The issue arises in quic-go's HTTP/3 client and server implementations, where a QPACK-encoded HEADERS frame can be crafted to decode into a large header field section, consisting of many unique header names and/or large values. This exploitation leads to excessive memory allocation, as the implementation constructs an http.Header for both http.Request and http.Response without proper limits on the decoded header size. Although there are restrictions on the size of the QPACK-compressed HEADERS frame, the lack of enforcement on the decompressed headers allows for memory exhaustion. The vulnerability is particularly concerning because it can be triggered by a misbehaving or malicious peer, causing quic-go's HTTP/3 servers or clients to allocate excessive memory, potentially leading to crashes or resource exhaustion.

Impact

Exploitation of this vulnerability can cause excessive memory allocation, leading to memory exhaustion and potential crashes or resource exhaustion on the affected server or client.

Reproduction

The vulnerability can be reproduced by sending a QPACK-encoded HEADERS frame that decodes into a large header field section, with many unique header names and/or large values. This can be done using a QUIC client that allows for the manipulation of QPACK-encoded headers, such as a custom-built client or a tool that supports QUIC and QPACK manipulation. The server or client will then experience excessive memory allocation, demonstrating the vulnerability.

Remediation

Users can upgrade to quic-go version 0.57.0 or later, where this vulnerability has been fixed.