Headline
GHSA-pmc3-p9hx-jq96: uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries
Description
Before version 1.7.0, utls did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a utls ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a utls client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because utls did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint utls connections.
Fix Commit or Pull Request
refraction-networking/utls#337, specifically refraction-networking/utls@f8892761e2a4d29054264651d3a86fda83bc83f9
References
- https://github.com/refraction-networking/utls/issues/181
Skip to content
Navigation Menu
GitHub Copilot
Write better code with AI
GitHub Advanced Security
Find and fix vulnerabilities
Actions
Automate any workflow
Codespaces
Instant dev environments
Issues
Plan and track work
Code Review
Manage code changes
Discussions
Collaborate outside of code
Code Search
Find more, search less
Explore
- Learning Pathways
- Events & Webinars
- Ebooks & Whitepapers
- Customer Stories
- Partners
- Executive Insights
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-pmc3-p9hx-jq96
uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries
Moderate severity GitHub Reviewed Published Apr 23, 2025 in refraction-networking/utls • Updated Apr 23, 2025
Package
gomod github.com/refraction-networking/utls (Go)
Affected versions
< 1.7.0
Description
Description
Before version 1.7.0, utls did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a utls ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a utls client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because utls did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint utls connections.
Fix Commit or Pull Request
refraction-networking/utls#337, specifically refraction-networking/utls@f889276
References
- refraction-networking/utls#181
References
- GHSA-pmc3-p9hx-jq96
- refraction-networking/utls#181
- refraction-networking/utls#337
- refraction-networking/utls@f889276
Published to the GitHub Advisory Database
Apr 23, 2025
Last updated
Apr 23, 2025
EPSS score