Protection Mechanism Failure Affecting github.com/refraction-networking/utls package, versions <1.7.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMREFRACTIONNETWORKINGUTLS-9833969
- published28 Apr 2025
- disclosed24 Apr 2025
- creditUnknown
Introduced: 24 Apr 2025
New CVE NOT AVAILABLE CWE-693 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade github.com/refraction-networking/utls to version 1.7.0 or higher.
Overview
Affected versions of this package are vulnerable to Protection Mechanism Failure in the ClientHandshake() function, which handles ClientHello messages, and in particular the serverHello.random field. An attacker can downgrade the TLS connection from TLS 1.3 by removing the SupportedVersions extension and thereby bypass checking for a downgrade canary, which could facilitate traffic interception and MitM attacks. Protection against TLS downgrade is required as part of RFC 8446 Section 4.1.3.