webtransport-go CloseWithError can block indefinitely

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

未加控制的资源消耗(资源穷尽)

webtransport-go 资源管理错误漏洞

webtransport-go是quic-go开源的一个Go语言库。 webtransport-go 0.10.0之前版本存在资源管理错误漏洞，该漏洞源于恶意对等方可能阻止或无限期延迟会话关闭，可能导致拒绝服务。

N/A

N/A