1 comment

[ 4.2 ms ] story [ 9.1 ms ] thread
> When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticated attacker along with conditions beyond their control can use a specially crafted HTTP/3 session to reopen a QPACK encoder stream.

Emphasis is mine. How much heavy lifting is this phrase doing?