• Improves sender side handling of RETIRE_CONNECTION_ID frames. Without this an attacker could trigger an infinite loop by sending a specially-crafted set of frames that trigger a connection ID retirement (CVE-2025-7054).

• Added Config::set_initial_rtt() to allow control of a connection's initial RTT estimate.
• Improvements and bug fixes to datagram packetization layer path MTU discovery (DPLPMTUD).
• Other bug fixes and performance improvements.

⚠️ Security:

• Implemented proper ACK range validation. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, which could potentially lead to an overflow and a crash (CVE-2025-4821).
• Implemented mitigations for optimistic ACK attacks. Without this an attacker could cause the congestion window to grow beyond typical expectations by sending ACK frames covering a large range of packet numbers, allowing more bytes in flight than the path might really support (CVE-2025-4820).

Highlights:

• Added Config::set_send_capacity_factor() to control the amount of stream data that can be buffered within quiche.
• Added a new stat for reporting spuriously lost packets.
• Many more bug fixes and performance improvements.

Full changelog at https://github.com/cloudflare/quiche/compare/0.24.0...0.24.4

• remove unnecessary &mut by @birneee in https://github.com/cloudflare/quiche/pull/2032
• Allow queueing at least 1 millisecond worth of packets in advance. by @antoniovicente in https://github.com/cloudflare/quiche/pull/2036
• quiche: release 0.24.2 by @antoniovicente in https://github.com/cloudflare/quiche/pull/2037

• @birneee made their first contribution in https://github.com/cloudflare/quiche/pull/2032

Full Changelog: https://github.com/cloudflare/quiche/compare/0.24.1...0.24.2

Breaking Changes:

• The Connection now takes a generic BufFactory. A default factory is provided, so in practice this shouldn't affect applications, but it's potentially a breaking change.

Highlights:

• Added experimental APIs for providing custom buffer allocators (see accept_with_buf_factory() and connect_with_buffer_factory()), and related "zero-copy" stream send operations.
• Many more bug fixes and performance improvements.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.7...0.24.0

• Bug fixes, mostly related to new experimental recovery implementaion.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.6...0.23.7

• Initial experimental support for alternative recovery and congestion control implementations.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.5...0.23.6

• Added experimental APIs to change connection settings from BoringSSL's handshake callbacks.
• Fixed issue that could cause logging of NULL bytes.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.4...0.23.5

Highlights:

• Fixed an issue introduced in the 0.23.x release branch that would cause clients to fail to send packets after receiving a retry or version negotiation.
• Fixed a few issues related to QLOG.
• Bumped MSRV to 1.81.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.2...0.23.4

Highlights:

• Fixed an issue introduced in the previous release that would cause a crash when sending packets.

Full changelog at https://github.com/cloudflare/quiche/compare/0.23.1...0.23.2

⚠️ The 0.23.0 release has been yanked due to a broken dependency on the qlog crate and should not be used.

Breaking Changes:

• The has_body field of the Headers event variant has been renamed to more_frames. It is also no longer possible to call send_response() (and related methods) multiple times, the new send_additional_headers() method should be used instead (see below).

Highlights:

• Added proper support for sending additional headers after the initial request/response headers, via the new send_additional_headers(). Various HTTP/3 state transitions have also been tightened to ensure correct behaviour.
• Added support for configuring the idle timeout per connection (rather than "globally" at the Config level) via the new Connection::set_max_idle_timeout() method.
• Added dgram_recv and dgram_sent fields to the Stats structure tracking the number of received and sent DATAGRAM frames.
• Added support for tracking and exposing "unknown" transport parameters received. This can optionally be enabled using the Config::enable_track_unknown_transport_parameters() option.
• Many more bug fixes and performance improvements.

Full changelog at https://github.com/cloudflare/quiche/compare/0.22.0...0.23.1