CVE-2024-53259: 
IPFS vulnerability analysis and mitigation

CVE-2024-53259 affects quic-go, an implementation of the QUIC protocol in Go. The vulnerability was discovered and disclosed in December 2024, impacting versions prior to 0.48.2. The vulnerability affects systems using quic-go on Linux platforms (NVD).

The vulnerability allows an off-path attacker to inject an ICMP Packet Too Large packet. Since affected quic-go versions used IPPMTUDISCDO, the kernel would return a "message too large" error on sendmsg when quic-go attempts to send a packet that exceeds the MTU claimed in that ICMP packet. By setting this value to smaller than 1200 bytes (the minimum MTU for QUIC), the attacker can disrupt a QUIC connection. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can be exploited after completion of the handshake, thereby circumventing any TCP fallback that might be implemented on the application layer. For example, many browsers fall back to HTTP over TCP if they're unable to establish a QUIC connection. The attacker only needs to know the client's IP and port tuple to mount an attack (NVD).

The vulnerability has been fixed in quic-go version 0.48.2. The fix involves using IPPMTUDISCPROBE instead of IPPMTUDISCDO on Linux systems (GitHub Commit).