🛡️ 0.24.4

⚠️ Security:

• Implemented proper ACK range validation. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, which could potentially lead to an overflow and a crash (CVE-2025-4821).
• Implemented mitigations for optimistic ACK attacks. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, allowing more bytes in flight than the path might really support (CVE-2025-4820).

Highlights:

• Added Config::set_send_capacity_factor() to control the amount of stream data that can be buffered within quiche.
• Added a new stat for reporting spuriously lost packets.
• Many more bug fixes and performance improvements.

Full changelog at 0.24.0...0.24.4

quiche 0.24.2

What's Changed

• remove unnecessary &mut by @birneee in #2032
• Allow queueing at least 1 millisecond worth of packets in advance. by @antoniovicente in #2036
• quiche: release 0.24.2 by @antoniovicente in #2037

New Contributors

• @birneee made their first contribution in #2032

Full Changelog: 0.24.1...0.24.2

🥼 0.24.0

Breaking Changes:

• The Connection now takes a generic BufFactory. A default factory is provided, so in practice this shouldn't affect applications, but it's potentially a breaking change.

Highlights:

• Added experimental APIs for providing custom buffer allocators (see accept_with_buf_factory() and connect_with_buffer_factory()), and related "zero-copy" stream send operations.
• Many more bug fixes and performance improvements.

Full changelog at 0.23.7...0.24.0

🩹 0.23.7

Highlights:

• Bug fixes, mostly related to new experimental recovery implementaion.

Full changelog at 0.23.6...0.23.7

🧪 0.23.6

Highlights:

• Initial experimental support for alternative recovery and congestion control implementations.

Full changelog at 0.23.5...0.23.6

🤝 0.23.5

Highlights:

• Added experimental APIs to change connection settings from BoringSSL's handshake callbacks.
• Fixed issue that could cause logging of NULL bytes.

Full changelog at 0.23.4...0.23.5

🚑 0.23.4

Highlights:

• Fixed an issue introduced in the 0.23.x release branch that would cause clients to fail to send packets after receiving a retry or version negotiation.
• Fixed a few issues related to QLOG.
• Bumped MSRV to 1.81.

Full changelog at 0.23.2...0.23.4

🩹 0.23.2

Highlights:

• Fixed an issue introduced in the previous release that would cause a crash when sending packets.

Full changelog at 0.23.1...0.23.2

🗓️ 0.23.0 / 0.23.1

⚠️ The 0.23.0 release has been yanked due to a broken dependency on the qlog crate and should not be used.

Breaking Changes:

• The has_body field of the Headers event variant has been renamed to more_frames. It is also no longer possible to call send_response() (and related methods) multiple times, the new send_additional_headers() method should be used instead (see below).

Highlights:

• Added proper support for sending additional headers after the initial request/response headers, via the new send_additional_headers(). Various HTTP/3 state transitions have also been tightened to ensure correct behaviour.
• Added support for configuring the idle timeout per connection (rather than "globally" at the Config level) via the new Connection::set_max_idle_timeout() method.
• Added dgram_recv and dgram_sent fields to the Stats structure tracking the number of received and sent DATAGRAM frames.
• Added support for tracking and exposing "unknown" transport parameters received. This can optionally be enabled using the Config::enable_track_unknown_transport_parameters() option.
• Many more bug fixes and performance improvements.

Full changelog at 0.22.0...0.23.1

🔧 0.22.0

Breaking Changes:

• The quiche_conn_stream_recv() and quiche_conn_stream_send() FFI functions now take an additional parameter out_error_code used to return more specific error information to the caller (similarly to what the Rust API already does).

Highlights:

• Added number of acked bytes to the Stats structure.
• The libquiche.so library, that exposes FFI bindings for C, will now have SONAME information.
• Added configuration option to change the anti-amplification limit factor (default will still be "3", per RFC 9000).
• Many more bug fixes and performance improvements.

Full changelog at 0.21.0...0.22.0