{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-49295","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-11-24T16:45:24.314Z","datePublished":"2024-01-10T21:40:58.881Z","dateUpdated":"2025-06-17T20:59:15.978Z"},"containers":{"cna":{"title":"quic-go's path validation mechanism can cause denial of service","problemTypes":[{"descriptions":[{"cweId":"CWE-400","lang":"en","description":"CWE-400: Uncontrolled Resource Consumption","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf","tags":["x_refsource_CONFIRM"],"url":"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"},{"name":"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"},{"name":"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"},{"name":"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"},{"name":"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"},{"name":"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"},{"name":"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"},{"name":"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"},{"name":"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8","tags":["x_refsource_MISC"],"url":"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/"}],"affected":[{"vendor":"quic-go","product":"quic-go","versions":[{"version":"= 0.40.0","status":"affected"},{"version":">= 0.39.0, < 0.39.4","status":"affected"},{"version":">= 0.38.0, < 0.38.2","status":"affected"},{"version":"< 0.37.7","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-02-21T02:06:00.030Z"},"descriptions":[{"lang":"en","value":"quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4."}],"source":{"advisory":"GHSA-ppxx-5m9h-6vxf","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T21:53:45.389Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf"},{"name":"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/17fc98c2d81dbe685c19702dc694a9d606ac56dc"},{"name":"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/21609ddfeff93668c7625a85eb09f1541fdad965"},{"name":"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/3a9c18bcd27a01c551ac9bf8bd2b4bded77c189a"},{"name":"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/554d543b50b917369fb1394cc5396d928166cf49"},{"name":"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/6cc3d58935426191296171a6c0d1ee965e10534e"},{"name":"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/9aaefe19fc3dc8c8917cc87e6128bb56d9e9e6cc"},{"name":"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/a0ffa757499913f7be69aa78f573a6aee3430ae4"},{"name":"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/quic-go/quic-go/commit/d7aa627ebde91cf799ada2a07443faa9b1e5abb8"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G5RSHDTVMYAIGYVVFGKTMFHAZJMA3EVV/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE7IOKXX5AATU2WR3V76X5Y3A44QAATG/","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2023-49295","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-01-11T15:35:07.010763Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-17T20:59:15.978Z"}}]}}