webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
Description
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/quic-go/webtransport-goGo | >= 0.3.0, < 0.10.0 | 0.10.0 |
Affected products
1- Range: < 0.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-g6x7-jq8p-6q9qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21434ghsaADVISORY
- github.com/quic-go/webtransport-go/releases/tag/v0.10.0ghsax_refsource_MISCWEB
- github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.