- Partners
- Docs
- Compare Open Source VS Enterprise
- Contact Sales
- Downloads
It seems that KrakenD does not exist because it hasn't caused any problems so far and is really fast, as promised.
Celso Zavatti
Head of Technology / Ahgora Sistemas
It seems that KrakenD does not exist because it hasn't caused any problems so far and is really fast, as promised.
Celso Zavatti
Head of Technology / Ahgora Sistemas
CVE-2026-40898
High
· CVSS 7.5
False Positivequic-go library only transitively: gin imports
quic-go/http3 at the package level to expose its RunQUIC() helper. KrakenD never
calls RunQUIC(): it serves traffic over standard net/http (HTTP/1.1 and HTTP/2)
and uses no HTTP/3 client to reach backends. With no HTTP/3 server started and no
HTTP/3 client in use, the vulnerable QPACK trailer-decoding path is never executed,
and there is no configuration option that enables HTTP/3 serving. SCA scanners may
flag quic-go in the binary, but reachability-aware tools such as govulncheck
correctly report it as not affected.Component
quic-go (HTTP/3)
Disclosed
Jun 17, 2026
CVSS Score
7.5
quic-go QUIC/HTTP-3 library limits the size of the QPACK-compressed HEADERS
frame but not the size of the decoded field section. A malicious peer can send
crafted QPACK-encoded HEADERS frames whose trailers decompress into an enormous
http.Header, exhausting memory and causing a denial of service on both HTTP/3
servers and clients. The flaw was fixed in quic-go v0.59.1, which enforces the
RFC 9114 field section size limit with incremental validation.Stay up to date with KrakenD releases and important updates