🟠 High  |  Source: The Hacker News


A vulnerability nicknamed XRING in Alibaba’s open-source XQUIC library allows any remote attacker to crash an HTTP/3 server using roughly 260 bytes of entirely legitimate QPACK traffic — no authentication or malformed packets required. The flaw stems from a single incorrect variable in the codebase and was publicly disclosed by FoxIO researcher Sébastien Féry on 8 July. No patch is currently available, leaving all deployments of XQUIC exposed.

Security Architect’s Take: If your infrastructure uses XQUIC for HTTP/3 termination, disable HTTP/3 support or place XQUIC servers behind a gateway that can rate-limit or block QPACK traffic until a patch is released. Treat this as a high-priority availability risk given the trivial, unauthenticated exploit path.

Original advisory: Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers