Security researchers at Imperva have disclosed a critical pre-handshake memory exhaustion vulnerability in the widely-used LSQUIC QUIC implementation that enables remote attackers to crash servers through denial-of-service attacks.
The flaw, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” bypasses standard QUIC connection-level protections by triggering before any handshake is established, leaving servers vulnerable to unbounded memory growth and eventual process termination.
Vulnerability Overview
QUIC-LEAK represents a significant security flaw in LSQUIC, the second most widely adopted QUIC implementation after Cloudflare’s Quiche.
| Field | Value |
| CVE ID | CVE-2025-54939 |
| Vulnerability Name | QUIC-LEAK |
| CVSS 3.1 Score | 7.5 (High) |
| Affected Software | LSQUIC library (< 4.3.1) |
| Fixed Versions | LSQUIC 4.3.1, OpenLiteSpeed 1.8.4, LiteSpeed Web Server 6.3.4 |
The vulnerability exploits how the library handles coalesced packets within a single UDP datagram, specifically targeting the Destination Connection ID (DCID) validation process.
When attackers craft malicious UDP datagrams containing multiple QUIC Initial packets with invalid DCIDs, only the first packet gets properly freed from memory while subsequent packets remain allocated, creating a persistent memory leak.
The attack mechanism leverages packet coalescing, where multiple QUIC packets can be combined into a single UDP datagram.
Attackers can smuggle up to 10 minimal handshake packets within a typical 1472-byte UDP payload, with only the first packet requiring a valid DCID.
This stateless attack requires no handshake completion, making it highly efficient for threat actors.
The vulnerability affects any technology relying on the LiteSpeed QUIC library, including OpenLiteSpeed and LiteSpeed Web Server installations.
Given that LiteSpeed serves over 14% of all websites and more than 34% of HTTP/3-enabled sites, the potential impact is substantial.
The memory consumption grows at approximately 70% of the bandwidth rate, with each malformed packet consuming roughly 96 bytes of RAM.
Imperva’s testing demonstrated that under realistic conditions using a 512 MiB OpenLiteSpeed server, the attack could render systems completely unresponsive once memory utilization reached 100%.
This can trigger Out-of-Memory (OOM) conditions, resulting in process termination and service unavailability.
The vulnerability was responsibly disclosed to LiteSpeed Technologies on July 15, 2025, with a patch released just three days later on July 18.
The CVE was publicly assigned on August 1, 2025, coinciding with the release of patched versions of OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4.
While MITRE initially assigned a CVSS 3.1 base score of 5.3, Imperva’s analysis suggests a revised score of 7.5 due to the high availability impact.
Organizations should immediately upgrade to LSQUIC version 4.3.1 or later, included in OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4.
For systems unable to upgrade immediately, administrators should implement network-level protections, enforce memory usage limits, and monitor for unusual UDP traffic patterns.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
