PT-2025-36468

Name of the Vulnerable Software and Affected Versions: EOL ASP.NET versions 6.0.0 through 6.0.36 EOL ASP.NET versions 8.0.0 through 8.0.8 EOL ASP.NET versions 9.0.0-preview.1.24081.5 through 9.0.0.RC.1 Description: A race condition may occur when closing an HTTP/3 stream while application code is...

Linux Distros Unpatched Vulnerability : CVE-2024-45403

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. When h2o is configured as a reverse proxy and HTTP/3 requests are cancelled by the client, h...

quiche 安全漏洞

quiche is a Cloudflare open source implementation of the IETF-designated QUIC transport protocol and HTTP/3. A security vulnerability exists in quiche versions prior to 0.15.0 through 0.24.5, which stems from a potential infinite loop when sending a packet containing a RETIRECONNECTIONID frame...

quiche 安全漏洞

quiche is a Cloudflare open source implementation of the IETF-designated QUIC transport protocol and HTTP/3. A security vulnerability exists in quiche that stems from an improperly growing congestion window that could cause data to be sent at a rate that exceeds the path support capability...

Curl 8.5.0 < 8.14.0 Improper Certificate Validation (CVE-2025-5025)

The version of Curl installed on the remote host is is missing security update. It is, therefore, affected by a improper certificate validation vulnerability. - libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when...

SUSE CVE-2025-5025

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

No QUIC certificate pinning with wolfSSL

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation through pinning of the server certificate public key for HTTPS transfers. An attacker can impersonate a legitimate server and intercept or manipulate communications by presenting a fraudulent certificate...

ALPINE-CVE-2025-5025

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

DEBIAN-CVE-2025-5025

libcurl supports pinning of the server certificate public key for HTTPS transfers. Due to an omission, this check is not performed when connecting with QUIC for HTTP/3, when the TLS backend is wolfSSL. Documentation says the option works with wolfSSL, failing to specify that it does not for QUIC...

libcurl 安全漏洞

libcurl is a free and easy-to-use client-side URL transport library from the cURL open source. A security vulnerability exists in libcurl that stems from QUIC and HTTP/3 connections that do not perform certificate public key fixing checks, which could lead to a man-in-the-middle attack...

USN-7427-1 dotnet8, dotnet9 vulnerability

James Newton-King discovered that .NET did not properly limit resource allocation when handling certain HTTP/3 requests. An attacker could possibly use this issue to cause a denial of service...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when handling very large buffered HTTP/3 header values. Remediation Upgrade Microsoft.AspNetCore.App.Runtime.osx-arm64 to version 8.0.15, 9.0.4 or higher. References - GitHub Commit -...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or...

Allocation of Resources Without Limits or Throttling

Overview Microsoft.AspNetCore.App.Runtime.linux-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling...

Security update for haproxy

This update for haproxy fixes the following issues: Update to version 2.8.11+git0.01c1056a4: VUL-0: CVE-2024-53008: haproxy: HTTP/3 request smuggling via malformed HTTP headers forwarded to a HTTP/1.1 non-compliant back-end server bsc1233973 BUG/MINOR: cfgparse-listen: fix option httpslog overrid...

The vulnerability of the QUIC and HTTP/3 implementations in the C language package NGTCP2 lies in the improper implementation of control flow management, allowing a attacker to execute arbitrary code.

The vulnerability of the QUIC and HTTP/3 implementations in the C language package NGTCP2 is related to the implementation of incorrect flow control. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

PT-2024-31607 · H2O · H2O

Name of the Vulnerable Software and Affected Versions: h2o versions prior to the version containing commit 1ed32b2 Description: The issue affects h2o, an HTTP server that supports HTTP/1.x, HTTP/2, and HTTP/3. When configured as a reverse proxy, h2o may crash due to an assertion failure if HTTP/3...

dotnet: kestrel: closing an HTTP/3 stream can cause a race condition and lead to remote code execution

A flaw was found in dotnet. When closing an HTTP/3 stream while application code is writing to the response body, a race condition can cause a use-after-free...