Fastly patches memory leak HTTP/3 vulnerability in H2O HTTP server project
02-Feb-22
Independent security researcher Emil Lerner said the problem impacted the Fastly cloud computing service and allowed attackers to grab “random requests and responses from uninitialized memory of its’ nodes” in a technical write-up published on January 31.
The bug, according to Lerner, has to do with how HTTP/3 is implemented on the server side. HTTP/3 is a next-generation web protocol that makes use of QUIC (a Google-developed protocol) with UDP space congestion control.
