quic-go fixed a vulnerability in the most recent patch release. I couldn't find any details yet, but it was backported down to v0.37.x which is an indicator for a higher severity.

The CVE isn't public yet: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49295