When receiving QUIC frames in certain order, HTTP/3 server-side
implementation of h2o can be misguided to treat uninitialized
memory as HTTP/3 frames that have been received. When h2o is
used as a reverse proxy, an attacker can abuse this vulnerability
to send internal state of h2o to backend servers controlled by
the attacker or third party. Also, if there is an HTTP endpoint
that reflects the traffic sent from the client, an attacker can
use that reflector to obtain internal state of h2o.
This internal state includes traffic of other connections in
unencrypted form and TLS session tickets.
This vulnerability exists in h2o server with HTTP/3
support, between commit 93af138 and d1f0f65. None of the
released versions of h2o are affected by this vulnerability.