CVE-2025-24947
📋 TL;DR
A hash collision vulnerability in LSQUIC (LiteSpeed QUIC) before version 4.2.0 allows remote attackers to cause high CPU consumption on servers through Hash DoS attacks. Attackers can initiate connections with colliding Source Connection IDs to exploit the XXH32 hash function weakness. This affects any server using vulnerable LSQUIC implementations for QUIC protocol handling.
💻 Affected Systems
- LSQUIC (LiteSpeed QUIC)
- Any software using LSQUIC library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server resource exhaustion leading to denial of service, making the service unavailable to legitimate users.
Likely Case
Significant CPU load degradation affecting server performance and response times for QUIC connections.
If Mitigated
Minimal impact with proper rate limiting, connection limits, and updated software.
🎯 Exploit Status
Exploitation requires sending specially crafted QUIC packets with colliding SCIDs. Public advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.0
Vendor Advisory: https://github.com/litespeedtech/lsquic/releases/tag/v4.2.0
Restart Required: Yes
Instructions:
1. Download LSQUIC version 4.2.0 or later from GitHub. 2. Replace existing LSQUIC installation with patched version. 3. Recompile any applications using LSQUIC. 4. Restart affected services.
🔧 Temporary Workarounds
Rate limiting connections
linuxImplement connection rate limiting to reduce impact of hash collision attacks
# Use iptables for Linux: iptables -A INPUT -p udp --dport 443 -m hashlimit --hashlimit-above 100/sec --hashlimit-burst 200 --hashlimit-mode srcip --hashlimit-name quic_limit -j DROP
Connection limits
allConfigure maximum concurrent connections to limit resource consumption
# Configure in LSQUIC settings: max_connections = 10000
# Or in web server config for LiteSpeed: quicMaxConnections 10000
🧯 If You Can't Patch
- Implement network-level rate limiting for QUIC/UDP traffic on port 443
- Deploy DDoS protection services that can detect and mitigate hash collision attacks
🔍 How to Verify
Check if Vulnerable:
Check LSQUIC version: lsquic-config --version or examine linked library version in applicationsCheck Version:
lsquic-config --version || strings /path/to/lsquic/library | grep -i versionVerify Fix Applied:
Confirm version is 4.2.0 or higher and monitor CPU usage during QUIC connection spikes📡 Detection & Monitoring
Log Indicators:
- Unusual spike in QUIC connection attempts
- High CPU usage by lsquic processes
- Connection timeouts or failures
Network Indicators:
- High volume of QUIC Initial packets from single sources
- Pattern of similar SCID values in QUIC traffic
SIEM Query:
source="*lsquic*" AND (cpu_usage>90 OR connections>10000) OR source="firewall" AND protocol="QUIC" AND rate>100/sec