This release contains a fix for CVE-2025-64702 by reworking the HTTP/3 header processing logic:

• Both client and server now send their respective header size constraints using the SETTINGS_MAX_FIELD_SECTION_SIZE setting: #5431
• For any QPACK-related errors, the correct error code (QPACK_DECOMPRESSION_FAILED) is now used: #5439
• QPACK header parsing is now incremental (instead of parsing all headers at once), which is ~5-10% faster and reduces allocations: #5435 (and https://github.com/quic-go/qpack/pull/67)
• The server now sends a 431 status code (Request Header Fields Too Large) when encountering HTTP header fields exceeding the size constraint: #5452

Breaking Changes

• http3: Transport.MaxResponseBytes is now an int (before: int64): #5433  

Notable Fixes

• qlogwriter: fix storing of event schemas (this prevented qlog event logging from working for HTTP/3): #5430
• http3: errors sending the request are now ignored, instead, the response from the server is read (thereby allowing the client to read the status code, for example): #5432

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @dependabot[bot] in https://github.com/quic-go/quic-go/pull/5426
• qlogwriter: fix storing of event schemas by @marten-seemann in https://github.com/quic-go/quic-go/pull/5430
• http3: send SETTINGS_MAX_FIELD_SECTION_SIZE in the SETTINGS frame by @marten-seemann in https://github.com/quic-go/quic-go/pull/5431
• http3: read response after encountering error sending the request by @marten-seemann in https://github.com/quic-go/quic-go/pull/5432
• http3: make Transport.MaxResponseBytes an int by @marten-seemann in https://github.com/quic-go/quic-go/pull/5433
• http3: add a benchmark for header parsing by @marten-seemann in https://github.com/quic-go/quic-go/pull/5435
• update qpack to v0.6.0 by @marten-seemann in https://github.com/quic-go/quic-go/pull/5434
• http3: use QPACK_DECOMPRESSION_FAILED for QPACK errors by @marten-seemann in https://github.com/quic-go/quic-go/pull/5439
• add documentation for Conn.NextConnection by @marten-seemann in https://github.com/quic-go/quic-go/pull/5442
• ackhandler: don’t generate an immediate ACK for the first packet by @marten-seemann in https://github.com/quic-go/quic-go/pull/5447
• don’t arm connection timer for connection ID retirement by @marten-seemann in https://github.com/quic-go/quic-go/pull/5449
• README: add nodepass to list of projects by @yosebyte in https://github.com/quic-go/quic-go/pull/5448
• qlogwriter: use synctest to make tests deterministic by @marten-seemann in https://github.com/quic-go/quic-go/pull/5454
• http3: limit size of decompressed headers by @marten-seemann in https://github.com/quic-go/quic-go/pull/5452

New Contributors

• @yosebyte made their first contribution in https://github.com/quic-go/quic-go/pull/5448

Full Changelog: https://github.com/quic-go/quic-go/compare/v0.56.0...v0.57.0