Finnbear

**Name of the Vulnerable Software and Affected Versions** quinn-proto version 0.11 **Description** The issue arises when a server calls `retry()` on an unvalidated connection, exposing it to a likely panic in two situations: 1. When `refuse` or `ignore` is called on the resulting validated connection and a duplicate initial packet is received. 2. When accepting a connection and the initial packet for the resulting validated connection fails to decrypt or exhausts connection IDs, but a similar initial packet that successfully decrypts and doesn't exhaust connection IDs is received. The former situation has been observed in a real application, while the latter is theoretical. This can lead to a denial of service for internet-facing servers. **Recommendations** For quinn-proto version 0.11, consider disabling the `retry()` function on unvalidated connections until a patch is available. As a temporary workaround, restrict the use of `refuse()` and `ignore()` on validated connections that have been retried to minimize the risk of panic. Avoid accepting connections when the initial packet fails to decrypt or exhausts connection IDs, if possible, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.