This work addresses security risks in QUIC implementations (RFC 9000/9001) arising from specification ambiguities and implementation divergences. To detect compliance violations without relying on formal specifications, we propose an automated conformance testing methodology. Our approach introduces: (1) event-timing-aware active automata learning (AAL) to construct high-fidelity finite-state machine models directly from implementation behavior; and (2) a pairwise differential verification paradigm, wherein multiple implementations serve as mutual black-box oracles—eliminating dependence on a trusted reference model. We implement this methodology in QUICtester and apply it to 19 mainstream QUIC implementations, generating 186 behavioral models. The analysis uncovers 55 implementation flaws, identifies a critical specification ambiguity exploitable for denial-of-service, and leads to the assignment of 5 CVEs and 2 bug bounty awards—substantially advancing QUIC’s security and reliability.

We develop QUICtester, an automated approach for uncovering non-compliant behaviors in the ratified QUIC protocol implementations (RFC 9000/9001). QUICtester leverages active automata learning to abstract the behavior of a QUIC implementation into a finite state machine (FSM) representation. Unlike prior noncompliance checking methods, to help uncover state dependencies on event timing, QUICtester introduces the idea of state learning with event timing variations, adopting both valid and invalid input configurations, and combinations of security and transport layer parameters during learning. We use pairwise differential analysis of learned behaviour models of tested QUIC implementations to identify non-compliance instances as behaviour deviations in a property-agnostic way. This exploits the existence of the many different QUIC implementations, removing the need for validated, formal models. The diverse implementations act as cross-checking test oracles to discover non-compliance. We used QUICtester to analyze analyze 186 learned models from 19 QUIC implementations under the five security settings and discovered 55 implementation errors. Significantly, the tool uncovered a QUIC specification ambiguity resulting in an easily exploitable DoS vulnerability, led to 5 CVE assignments from developers, and two bug bounties thus far.