CVE-2023-50247

Name of the Vulnerable Software and Affected Versions h2o versions 2.3.0-beta and prior

Description The QUIC stack, as used by h2o, is susceptible to a state exhaustion attack. When h2o is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually cause h2o to abort due to memory exhaustion. HTTP/1 and HTTP/2 are not affected by this vulnerability as they do not use QUIC.

Recommendations For versions 2.3.0-beta and prior, consider disabling HTTP/3 support as a temporary workaround to mitigate the issue. Update to a version that includes the fix committed in d67e81d03be12a9d53dc8271af6530f40164cd35 to fully resolve the issue.