CVE-2023-49295 in quic-go
Summary
by MITRE • 01/11/2024
quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/18/2025
The vulnerability CVE-2023-49295 affects quic-go, a widely-used implementation of the QUIC protocol in the Go programming language. This issue represents a memory exhaustion attack that exploits the protocol's path validation mechanism, specifically targeting the handling of PATH_CHALLENGE and PATH_RESPONSE frames as defined in RFC 9000 and RFC 9001. The flaw enables an attacker to consume excessive memory resources on the targeted system through carefully crafted packet sequences that manipulate the QUIC connection state.
The technical exploitation occurs when an attacker sends a large volume of PATH_CHALLENGE frames to a quic-go peer, which is required to respond with corresponding PATH_RESPONSE frames for path validation purposes. The vulnerability stems from the receiver's failure to properly handle the congestion control mechanisms during this validation process. By selectively acknowledging received packets, the attacker can collapse the peer's congestion window while simultaneously manipulating the round-trip time estimation, effectively preventing the legitimate PATH_RESPONSE frames from being transmitted. This creates a memory accumulation scenario where the receiver maintains state for each unanswered PATH_CHALLENGE frame, leading to unbounded memory growth.
From an operational impact perspective, this vulnerability presents a significant denial-of-service threat that can affect any system running quic-go versions prior to 0.37.7, 0.38.2, or 0.39.4. The memory exhaustion occurs gradually but can quickly overwhelm system resources, potentially causing application crashes or system instability. The attack requires minimal computational resources from the attacker while generating substantial resource consumption on the target, making it particularly dangerous in network environments where QUIC protocol is extensively used. This vulnerability directly relates to CWE-400, which addresses unchecked resource consumption, and can be categorized under ATT&CK technique T1499.004 for resource exhaustion attacks.
The mitigation strategy involves upgrading to patched versions of quic-go, specifically versions 0.37.7, 0.38.2, or 0.39.4, which implement proper memory management and congestion control mechanisms during path validation. Organizations should also consider implementing network-level protections such as rate limiting for PATH_CHALLENGE frames and monitoring for unusual memory consumption patterns. The fix addresses the root cause by ensuring that the protocol implementation properly handles congestion control during path validation and limits the memory footprint of pending PATH_RESPONSE frame states. Additionally, system administrators should monitor for potential exploitation attempts through network traffic analysis and implement appropriate firewall rules to limit the number of PATH_CHALLENGE frames that can be sent to a single connection within a given time period.