A critical pre-handshake vulnerability in the LSQUIC QUIC implementation that allows remote attackers to crash servers through memory exhaustion attacks.
The vulnerability, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” affects the second most widely used QUIC implementation globally, potentially impacting over 34% of HTTP/3-enabled websites that rely on LiteSpeed technologies.
Key Takeaways
1. CVE-2025-54939 allows remote DoS via memory exhaustion in QUIC servers.
2. Affects 14% of websites using LSQUIC/LiteSpeed technologies.
3. Upgrade immediately.
QUIC-LEAK Vulnerability
Imperva reports that QUIC-LEAK exploits a fundamental weakness in how LSQUIC handles coalesced packets within UDP datagrams before connection handshakes are established.
The vulnerability occurs when attackers craft malicious UDP datagrams containing multiple QUIC Initial packets, where only the first packet contains a valid Destination Connection ID (DCID) while subsequent packets use invalid DCIDs.
In the vulnerable code path within lsquic_engine.c, the implementation correctly identifies and ignores packets with mismatched DCIDs, adding their size to a garbage count for amplification attack protection.
However, the critical flaw lies in the failure to properly deallocate the packet_in structures using the lsquic_mm_put_packet_in function, creating persistent memory leaks.
Each leaked packet_in structure consumes approximately 96 bytes of RAM, and with UDP datagrams capable of carrying up to 10 coalesced packets, attackers can achieve memory growth at approximately 70% of their bandwidth rate.
The attack bypasses all standard QUIC connection-level protections—including connection limits, stream controls, and flow regulation—since these safeguards only activate after handshake completion.
| Risk Factors | Details |
| Affected Products | – LSQUIC library (versions < 4.3.1)- OpenLiteSpeed (versions < 1.8.4)- LiteSpeed Web Server (versions < 6.3.4)- Any application using LiteSpeed QUIC library |
| Impact | Remote Denial of Service (DoS) |
| Exploit Prerequisites | – Network access to target server- Ability to send UDP packets- No authentication required- No valid QUIC session needed- Pre-handshake exploitation |
| CVSS 3.1 Score | 7.5 (High) |
Mitigations
The vulnerability carries a CVSS 3.1 base score of 7.5, with researchers noting that the availability impact should be classified as High due to the potential for complete service disruption.
LiteSpeed servers, which power over 14% of all websites globally, are particularly vulnerable since they integrate the affected LSQUIC library directly.
Impact of QUIC-LEAK on a Lite Speed web server
During controlled testing using a 512 MiB memory configuration, researchers demonstrated that the attack could render OpenLiteSpeed servers completely unresponsive when memory utilization reached 100%.
The attack’s effectiveness stems from its stateless nature—requiring no valid QUIC session establishment or timing dependencies.
Immediate mitigation requires upgrading to LSQUIC version 4.3.1 or later, which is included in OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4.
Organizations unable to upgrade immediately should implement network-level UDP traffic filtering, enforce strict memory usage limits on exposed services, and maintain continuous monitoring for anomalous traffic patterns targeting QUIC endpoints.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
