Impact
Quicly up to commit 43f86e5 is susceptible to a state exhaustion attack.
A remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This may lead to applications using quicly to abort due to memory exhaustion.
Patches
The vulnerability has been addressed in commit db5d54a. Users should upgrade quicly to commit db5d54a or above.
References
This vulnerability is an instance of a missspecification (or an oversight) of the QUIC version 1 protocol, which was reported by @marten-seemann.
See also: corresponding H2O security advisory.
Impact
Quicly up to commit 43f86e5 is susceptible to a state exhaustion attack.
A remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This may lead to applications using quicly to abort due to memory exhaustion.
Patches
The vulnerability has been addressed in commit db5d54a. Users should upgrade quicly to commit db5d54a or above.
References
This vulnerability is an instance of a missspecification (or an oversight) of the QUIC version 1 protocol, which was reported by @marten-seemann.
See also: corresponding H2O security advisory.