Mwedl

Name of the Vulnerable Software and Affected Versions: h2o (affected versions not specified) Description: The issue concerns an HTTP server that supports various HTTP versions. When specific conditions are met, such as receiving an HTTP request using TLS/1.3 early data on top of TCP Fast Open or QUIC 0-RTT packets, and IP-address-based access control is in use, the access control fails to detect and block HTTP requests from packets with a spoofed source address. This allows attackers to execute HTTP requests from addresses that would normally be rejected. Recommendations: For all affected versions, consider disabling the use of TCP FastOpen and QUIC as a temporary mitigation measure until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Traefik versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 **Description** The issue allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. This occurs because HTTP/3 servers process early data requests before the handshake is completed and the client's IP address is validated. Attackers can obtain a session ticket from the HTTP/3 server, then prepare a UDP datagram containing a QUIC initial packet with a TLS ClientHello and the session ticket, a QUIC 0-RTT packet with early data encrypted with the pre-shared key from the session ticket, and an HTTP/3 request. This prepared UDP datagram can be sent to the server with an arbitrarily spoofed source IP address, allowing the attacker to bypass IP allow-lists. **Recommendations** To resolve the issue, update to Traefik version 2.11.6, 3.0.4, or 3.1.0-rc3, as these versions contain a patch for the vulnerability. For versions prior to 2.11.6, consider responding with HTTP status code 425 Too Early when 0-RTT early data requests match `ipAllowList.sourceRange` middleware. Alternatively, delay processing of 0-RTT early data requests until the handshake is completed and the client's IP address is validated when 0-RTT early data requests match `ipAllowList.sourceRange` middleware.