{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-24947", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-02-20T20:19:05.607Z", "dateReserved": "2025-01-29T00:00:00.000Z", "datePublished": "2025-02-20T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "LSQUIC", "vendor": "litespeedtech", "versions": [{"lessThan": "4.2.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This is caused by XXH32 usage."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-407", "description": "CWE-407 Inefficient Algorithmic Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-02-20T02:40:12.338Z"}, "references": [{"url": "https://xxhash.com"}, {"url": "https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory"}, {"url": "https://github.com/litespeedtech/lsquic/releases/tag/v4.2.0"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:litespeedtech:lsquic:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.2.0"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-20T20:18:13.503625Z", "id": "CVE-2025-24947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T20:19:05.607Z"}}]}, "dataVersion": "5.1"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This is caused by XXH32 usage."}, {"lang": "es", "value": "Una vulnerabilidad de colisi\u00f3n hash (en la tabla hash utilizada para administrar conexiones) en LSQUIC (tambi\u00e9n conocido como Litespeed Quic) antes de 4.2.0 permite a los atacantes remotos causar una carga de CPU considerable en el servidor (un ataque con hash DOS) al iniciar conexiones con la conexi\u00f3n de fuente colid\u00eda IDS (SCID). Esto es causado por el uso XXH32."}], "id": "CVE-2025-24947", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-02-20T03:15:12.943", "references": [{"source": "cve@mitre.org", "url": "https://github.com/litespeedtech/lsquic/releases/tag/v4.2.0"}, {"source": "cve@mitre.org", "url": "https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory"}, {"source": "cve@mitre.org", "url": "https://xxhash.com"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-407"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{}

{"created": "2025-07-12T15:26:13.908323+00:00", "updated": "2025-07-12T15:26:13.908384+00:00", "vendors": ["litespeedtech", "litespeedtech$PRODUCT$lsquic"]}