Skip to content
/ CVE-2025-54939 Public

POC for CVE-2025-54939. ~ forcibly loads 200MiB/s in server's memory

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

yohannslm/CVE-2025-54939

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
poc
poc
 
 
.env
.env
 
 
README.MD
README.MD
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

PoC for QUIC-LEAK (CVE-2025-54939) in LSQUIC

Overview

This PoC highlights CVE-2025-54939, a pre-handshake memory exhaustion (Denial of Service) vulnerability in the LSQUIC QUIC implementation. The issue, named QUIC-LEAK, was first documented by Imperva: https://www.imperva.com/blog/quic-leak-cve-2025-54939-new-high-risk-pre-handshake-remote-denial-of-service-in-lsquic-quic-implementation/

Vulnerability

Affected versions • LSQUIC < 4.3.1 • OpenLiteSpeed < 1.8.4 • LiteSpeed Web Server < 6.3.4

Issue

A memory leak in lsquic_engine_packet_in, triggered before the handshake, allows remote attackers to exhaust memory and crash the server.

Replication Steps

> Modify poc/entrypoint.sh to specify host. By default, it targets the litespeed container.
> docker compose up --build
> docker stats

In addition to what is described in the blogpost, it was observed that the initial QUIC packet does not need to be fully valid (simply 8 bytes SCID and DCID). This point means that more packets could be included than the examples shown in the article

Disclaimer

This PoC is for educational and authorized security testing only. Do not use it against systems without explicit permission.

About

POC for CVE-2025-54939. ~ forcibly loads 200MiB/s in server's memory

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages