Fastly patches memory leak HTTP/3 vulnerability in H2O HTTP server project


Independent security researcher Emil Lerner said the problem impacted the Fastly cloud computing service and allowed attackers to grab “random requests and responses from uninitialized memory of its’ nodes” in a technical write-up published on January 31.

The bug, according to Lerner, has to do with how HTTP/3 is implemented on the server side. HTTP/3 is a next-generation web protocol that makes use of QUIC (a Google-developed protocol) with UDP space congestion control.

Read More…