CVE-2023-50247: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2023-50247) affects the QUIC stack (quicly) implementation in H2O server versions up to 2.3.0-beta and prior (commit 43f86e5). H2O is an HTTP server that supports HTTP/1.x, HTTP/2, and HTTP/3 protocols. The vulnerability was disclosed on December 12, 2023 (GitHub Advisory).

The vulnerability is a state exhaustion attack that affects the QUIC stack implementation. It has been assigned a CVSS v3.1 base score of 7.5 HIGH by NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), though GitHub initially rated it as LOW with a score of 3.7 (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When H2O is serving HTTP/3, a remote attacker can exploit this vulnerability to progressively increase the memory retained by the QUIC stack. This can eventually cause H2O to abort due to memory exhaustion (GitHub Advisory).

The vulnerability has been patched in commit d67e81d03be12a9d53dc8271af6530f40164cd35. For systems that cannot immediately upgrade, administrators can disable HTTP/3 support as a workaround since HTTP/1 and HTTP/2 are not affected by this vulnerability (GitHub Advisory).

The vulnerability was identified as an instance of a misspecification or oversight in the QUIC version 1 protocol, initially reported by researcher @marten-seemann (GitHub Advisory).