Quinn Denial-of-Service Vulnerability via Malformed QUIC Transport Parameters

A denial-of-service vulnerability has been identified in Quinn, a Rust-based implementation of the IETF QUIC transport protocol, prior to version 0.11.14. The issue allows remote, unauthenticated attackers to cause a panic in applications using the affected Quinn versions by sending a crafted QUIC Initial packet with malformed transport parameters. The vulnerability arises because the parsing logic in quinn-proto decodes attacker-controlled varints using unwrap(), leading to a panic when encountering truncated encodings. This issue can be exploited over the network with a single packet, without any prior trust or authentication.

Impact

Exploitation of this vulnerability causes a process-level panic, crashing the application. The impact on the server or application depends on how the integration handles such panics.

Reproduction

The vulnerability can be reproduced by starting a server using Quinn's example server implementation. Once the server is running, a proof-of-concept client can be executed that sends a QUIC Initial packet containing malformed transport parameters. This can be done using a Python script that leverages the aioquic library to send the crafted packet to the server's QUIC listener.

Remediation

Users can upgrade to Quinn version 0.11.14 or later to address this vulnerability.