curl: HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB

Hi all, When a libcurl application's CURLOPTWRITEFUNCTION returns CURLWRITEFUNCPAUSE, libcurl routes subsequent incoming body data through cw-pause lib/cw-pause.c. The bufq inside cw-pause is initialised with BUFQOPTSOFTLIMIT and a chunk size of 16 KiB lib/cw-pause.c:51-52, which causes bufq to...

EUVD-2024-1042

Malicious code in bioql PyPI...

EUVD-2025-23915

Malicious code in bioql PyPI...

EUVD-2023-3306

Malicious code in bioql PyPI...

EUVD-2024-30726

Malicious code in bioql PyPI...

EUVD-2025-18652

Malicious code in bioql PyPI...

EUVD-2025-18651

Malicious code in bioql PyPI...

EUVD-2024-0855

Malicious code in bioql PyPI...

FreeBSD : quiche -- Infinite loop triggered by connection ID retirement (32bdeb94-9958-11f0-b6e2-6805ca2fa271)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 32bdeb94-9958-11f0-b6e2-6805ca2fa271 advisory. Quiche Releases reports: This update includes 1 security fix: Tenable has extracted the preceding...

FreeBSD : quiche -- Multiple vulnerabilities (7b0cbc73-9955-11f0-b6e2-6805ca2fa271)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7b0cbc73-9955-11f0-b6e2-6805ca2fa271 advisory. Quiche Releases reports: This update includes 2 security fixes: Tenable has extracted the...

GHSA-M3HH-F9GH-74C2 vulnerabilities

Vulnerabilities for packages: quiche...

CVE-2025-7054 vulnerabilities

Vulnerabilities for packages: quiche...

GHSA-M3HH-F9GH-74C2 vulnerabilities

Vulnerabilities for packages: quiche...

CVE-2025-7054 vulnerabilities

Vulnerabilities for packages: quiche...

CVE-2025-7054

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRECONNECTIONID frames. QUIC connections possess a set of connection identifiers IDs; see Section 5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000section-5.1 . Once the QUIC...

SQUICD (>=0.1.0 <=0.1.1), bolic-network (=0.0.1) +7 more potentially affected by CVE-2025-7054 via quiche (>=0.16.0 <=0.22.0)

quiche CARGO version =0.16.0, =0.1.0, =0.2.4, =0.0.1, =0.0.2 - quiche-async =0.0.0 - quiche-tokio =0.1.0 - quiver-h3 =0.1.0 Source cves: CVE-2025-7054 Source advisory: OSV:GHSA-M3HH-F9GH-74C2...

quiche connection ID retirement can trigger an infinite loop

Impact Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRECONNECTIONID frames. QUIC connections possess a set of connection identifiers IDs; see Section 5.1 of RFC 9000. Once the QUIC handshake completes, a local endpoint is responsible for...

GHSA-M3HH-F9GH-74C2 quiche connection ID retirement can trigger an infinite loop

Impact Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRECONNECTIONID frames. QUIC connections possess a set of connection identifiers IDs; see Section 5.1 of RFC 9000. Once the QUIC handshake completes, a local endpoint is responsible for...

CVE-2025-7054

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRECONNECTIONID frames. QUIC connections possess a set of connection identifiers IDs; see Section 5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000section-5.1 . Once the QUIC...

CVE-2025-7054

Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRECONNECTIONID frames. QUIC connections possess a set of connection identifiers IDs; see Section 5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000section-5.1 . Once the QUIC...