A essential pre-handshake vulnerability within the LSQUIC QUIC implementation that enables distant attackers to crash servers by reminiscence exhaustion assaults.
The vulnerability, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” impacts the second most generally used QUIC implementation globally, probably impacting over 34% of HTTP/3-enabled web sites that depend on LiteSpeed applied sciences.
Key Takeaways1. CVE-2025-54939 permits distant DoS through reminiscence exhaustion in QUIC servers.2. Impacts 14% of internet sites utilizing LSQUIC/LiteSpeed applied sciences.3. Improve instantly.
QUIC-LEAK Vulnerability
Imperva reviews that QUIC-LEAK exploits a basic weak spot in how LSQUIC handles coalesced packets inside UDP datagrams earlier than connection handshakes are established.
The vulnerability happens when attackers craft malicious UDP datagrams containing a number of QUIC Preliminary packets, the place solely the primary packet incorporates a sound Vacation spot Connection ID (DCID) whereas subsequent packets use invalid DCIDs.
Within the susceptible code path inside lsquic_engine.c, the implementation accurately identifies and ignores packets with mismatched DCIDs, including their dimension to a rubbish depend for amplification assault safety.
Weak code
Nonetheless, the essential flaw lies within the failure to correctly deallocate the packet_in buildings utilizing the lsquic_mm_put_packet_in operate, creating persistent reminiscence leaks.
Every leaked packet_in construction consumes roughly 96 bytes of RAM, and with UDP datagrams able to carrying as much as 10 coalesced packets, attackers can obtain reminiscence progress at roughly 70% of their bandwidth charge.
The assault bypasses all normal QUIC connection-level protections—together with connection limits, stream controls, and circulate regulation—since these safeguards solely activate after handshake completion.
Threat FactorsDetailsAffected Merchandise– LSQUIC library (variations ImpactRemote Denial of Service (DoS)Exploit Conditions– Community entry to focus on server- Means to ship UDP packets- No authentication required- No legitimate QUIC session needed- Pre-handshake exploitationCVSS 3.1 Score7.5 (Excessive)
Mitigations
The vulnerability carries a CVSS 3.1 base rating of seven.5, with researchers noting that the supply impression ought to be labeled as Excessive as a result of potential for full service disruption.
LiteSpeed servers, which energy over 14% of all web sites globally, are notably susceptible since they combine the affected LSQUIC library instantly.
Affect of QUIC-LEAK on a Lite Velocity net server
Throughout managed testing utilizing a 512 MiB reminiscence configuration, researchers demonstrated that the assault may render OpenLiteSpeed servers utterly unresponsive when reminiscence utilization reached 100%.
The assault’s effectiveness stems from its stateless nature—requiring no legitimate QUIC session institution or timing dependencies.
Quick mitigation requires upgrading to LSQUIC model 4.3.1 or later, which is included in OpenLiteSpeed 1.8.4 and LiteSpeed Net Server 6.3.4.
Organizations unable to improve instantly ought to implement network-level UDP site visitors filtering, implement strict reminiscence utilization limits on uncovered providers, and keep steady monitoring for anomalous site visitors patterns focusing on QUIC endpoints.
Safely detonate suspicious recordsdata to uncover threats, enrich your investigations, and minimize incident response time. Begin with an ANYRUN sandbox trial →
