{"id":"CVE-2025-24947","details":"A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This is caused by XXH32 usage.","modified":"2026-04-12T14:04:27.676723Z","published":"2025-02-20T03:15:12.943Z","references":[{"type":"WEB","url":"https://github.com/litespeedtech/lsquic/releases/tag/v4.2.0"},{"type":"WEB","url":"https://xxhash.com"},{"type":"PACKAGE","url":"https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/litespeedtech/lsquic","events":[{"introduced":"0"},{"fixed":"7686d8fcef284cda07a951ad74a5e90c69a9dfb1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.2.0"}]}}],"versions":["1.11.0","1.11.1","1.12.0","1.12.2","1.12.3","1.12.4","1.13.0","1.14.0","1.14.3","1.15.0","1.16.0","1.17.0","1.17.10","1.17.11","1.17.12","1.17.14","1.17.15","1.17.2","1.17.3","1.17.6","1.17.7","1.17.8","1.17.9","1.18.0","1.19.1","1.19.2","1.19.4","1.19.5","1.19.6","1.20.0","1.21.1","1.21.2","v.2.12.4","v.2.20.1","v1.0","v1.1","v1.10","v1.10.1","v1.10.2","v1.2","v2.10.0","v2.10.1","v2.10.3","v2.10.4","v2.10.5","v2.10.6","v2.11.1","v2.12.0","v2.13.0","v2.13.1","v2.13.2","v2.13.3","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.14.6","v2.14.7","v2.14.8","v2.15.0","v2.16.0","v2.16.1","v2.16.2","v2.16.3","v2.17.0","v2.17.1","v2.17.2","v2.18.0","v2.18.1","v2.18.2","v2.19.0","v2.19.1","v2.19.10","v2.19.2","v2.19.3","v2.19.4","v2.19.5","v2.19.6","v2.19.7","v2.19.8","v2.2.0","v2.20.0","v2.20.2","v2.21.0","v2.22.0","v2.22.1","v2.23.1","v2.23.2","v2.23.3","v2.24.0","v2.24.1","v2.24.2","v2.24.3","v2.24.4","v2.24.5","v2.25.0","v2.26.0","v2.26.1","v2.26.2","v2.27.0","v2.27.1","v2.27.2","v2.27.3","v2.27.4","v2.27.5","v2.27.6","v2.28.0","v2.29.0","v2.29.1","v2.29.2","v2.29.3","v2.29.4","v2.29.5","v2.29.6","v2.3.0","v2.3.1","v2.30.0","v2.30.1","v2.30.2","v2.4.0","v2.4.1","v2.4.10","v2.4.2","v2.4.3","v2.4.4","v2.4.6","v2.4.7","v2.4.8","v2.5.0","v2.5.1","v2.5.2","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.5","v2.6.6","v2.6.7","v2.7.0","v2.7.1","v2.7.2","v2.7.3","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.5","v2.8.7","v2.8.8","v2.8.9","v2.9.0","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.1.0","v3.1.1","v3.1.2","v3.1.3","v3.2.0","v3.3.0","v3.3.1","v4.0.0","v4.0.1","v4.0.11","v4.0.12","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9","v4.1.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T14:04:27Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24947.json","vanir_signatures":[{"signature_type":"Function","digest":{"function_hash":"331194496177376350782708636509813281905","length":462},"target":{"function":"lsquic_hash_find","file":"src/liblsquic/lsquic_hash.c"},"id":"CVE-2025-24947-0b3fc69a","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"201971181591077529930120262608914707852","length":207},"target":{"function":"hash_req","file":"src/liblsquic/lsquic_pr_queue.c"},"id":"CVE-2025-24947-2b30e18d","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"996698632991710959934906725640726914","length":679},"target":{"function":"lsquic_hash_create_ext","file":"src/liblsquic/lsquic_hash.c"},"id":"CVE-2025-24947-2e408fa5","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["24605071423580549576537723899847986740","18651416707008459660285676742150561133","1345326658888670363703409631385888777","294174757279510364905652748735787618655","123250367470806634082513561561227254529","48913187206195628608025701751654155873","148011962983673345834863969628040122138","283265721823197884240009340637838477567","98707398714626299605352204233629346593","95397237026245641100212534648532785867","230565546244074636785658805109009124073","53685767684828957751365793022021467212","82173246192636980854319311056827848003"]},"target":{"file":"src/liblsquic/lsquic_pr_queue.c"},"id":"CVE-2025-24947-39e9ad72","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["100720924724564886717283577653281820174","253955502954259718927760775970344020237","106103433094452795716240843221876678556","244360622141395995227337053946616039175","278171642127931531406447748572356474294","327294821826115314676830668112162255360","18770240076093827156413070491569352670","138350053306716637808865157468430924912","142945915459599697475468609310635585796","14158343152041185995156538521753606866","35117247606069174323779035001812940949","122951780674200854456395183187304536679","99618377044339615341514256454228405890","81712615928816325928227465934920584345","197850735979195374861395447974067069748","312582278505423010538481281395950646675","193062599501430060719823433981133326038","51095753324852014972585941866199193267","234578094523847223882501145079154350989","274661996372526907132097072510512620933","270947530749992402510489996909862822886","202432372528127712404327298666369542738","286891661241162086554644881417412258408","238175769054778970534395418765811733277","24368408664044674247191898135618035974","140184479409290015811431977189986922363","225153605314485855745920372573643076187","152823277523666088557030957221538801430","166435337336494311309477751490188130608","154824463779697219907967356630790232607","211535564628194444701583193581270875197","215575653901660855761761856940610754189","125984366792866136369700303990843204039","15088576596224483174212792148488519637","83205387582897375954731779644145895416","24689128199836941046113406823206869126","148010438870525082580786074287025922912","277524340181727837341041018234908717555","228884390659195077797669915278689024613","34200605667476929881175109559025762088","186066071508050329713179222024123360585"]},"target":{"file":"src/liblsquic/lsquic_hash.c"},"id":"CVE-2025-24947-3aa0b084","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"55136375308719441237068732602421296285","length":727},"target":{"function":"lsquic_hash_insert","file":"src/liblsquic/lsquic_hash.c"},"id":"CVE-2025-24947-4f30bcbf","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"43863128791558959630107258078630535262","length":748},"target":{"function":"insert_conn_into_hash","file":"src/liblsquic/lsquic_engine.c"},"id":"CVE-2025-24947-673aea1d","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["125874471080925991195876911317785084155","314230014928129625539825419930630288906","251695956170555518547928774299251391168","38792559159592881866039753068430798576","335149926623577500680100941143460914662","27186076847465969795467643166108830961","296997246340101360914497831641959558801","171506861112953519727390362284451316317","142528164736486007591036351191269204894","18837941630473600591804787708710363151","90811065432418345411503284552064037122","299485180897026729998282092451827110221","175663710188316101164843709021691153797","192565228166492356221380107435935030429","141698262294020311135221584088821729349","24700930656844113332160890925915879709","30138702096670397510229369087533042152","223783215052841031244886261796703226543","246687933306224268942068463958326740444","248756084165897820754582603863302099905","59378708903182327759031030831656682109","91415596284126912844960965402475072847","230938066467342620326528616061310722865","208456018769386843703602920537764372049","111232390506137503245861194485972284228","112975644420792793765051049040721312456","50163092364463934025386158441136734483","143710330548358537441888844243397070827","145984554211429674372747477747045395486","314675775192864813181029791620091007767","82605689427086488878885718690865554919","287628884916692719578848845295170531160","145096658526585039236408214494688018402"]},"target":{"file":"src/liblsquic/lsquic_engine.c"},"id":"CVE-2025-24947-676e0f00","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["20296430310574163273101318850586723162","304631991825504760583551751188750108217","26271713585158649411941155455083782402","318946058592442479538641516898205078870","21355032245752134941320877469204790361","112189166472910808991378964839850006649","150756525908297719192336155468659782481","214869824287121487505609677098320647693","296189073688697643136710755684419945623"]},"target":{"file":"src/liblsquic/lsquic_hash.h"},"id":"CVE-2025-24947-6919db31","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"20913144286001140596056622889385015349","length":179},"target":{"function":"imico_can_send","file":"src/liblsquic/lsquic_mini_conn_ietf.c"},"id":"CVE-2025-24947-6a23381a","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"273168189137306048125810351016569371007","length":1287},"target":{"function":"ietf_mini_conn_ci_tick","file":"src/liblsquic/lsquic_mini_conn_ietf.c"},"id":"CVE-2025-24947-93314c16","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"60802930100963325553143013617536139058","length":67},"target":{"function":"lsquic_hash_create","file":"src/liblsquic/lsquic_hash.c"},"id":"CVE-2025-24947-936037fe","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"162017162968478994396080320863612819676","length":4257},"target":{"function":"find_or_create_conn","file":"src/liblsquic/lsquic_engine.c"},"id":"CVE-2025-24947-99747b9c","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["336140985318280286835521338293346298330","253538879491097361806988597362153659067","176000647035349806179022453007280218092","54282649956506621330006925613288356624","174976313501599141668170236990913381578","159361856034531714820946252433544524957","175439399700095814751318199096830133578","106526759665456260992474686326058421289","25231808440742063788599960485987971185","253001765901152164008067385746224215755"]},"target":{"file":"include/lsquic.h"},"id":"CVE-2025-24947-ac2c91ac","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"147938490818218374369174298720915683936","length":2134},"target":{"function":"imico_stream_write","file":"src/liblsquic/lsquic_mini_conn_ietf.c"},"id":"CVE-2025-24947-b7cd51b9","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"145969721060898881895556031803021167798","length":4307},"target":{"function":"lsquic_engine_init_settings","file":"src/liblsquic/lsquic_engine.c"},"id":"CVE-2025-24947-d14bea38","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"44604473240148093185035987657777633732","length":705},"target":{"function":"lsquic_engine_retire_cid","file":"src/liblsquic/lsquic_engine.c"},"id":"CVE-2025-24947-decdfeae","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["199700213893545844755950895919834946916","137794958069003514337700550780497192619","196630134400791514175940574090115741017","44168624008657937404719187246841082283","237911469769918400372101345319455261011","97086624790535113445482123066941956235","244120547181834968702748493917828144952","91993868848748486208434129623646449442","108818394443936821237090849168468878806","177893403065683555845241843571130791668","290475034054965760238417002733388138877","327413043868561358239258564995338713474"]},"target":{"file":"src/liblsquic/lsquic_purga.c"},"id":"CVE-2025-24947-eced9b09","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Function","digest":{"function_hash":"144793357595627465923367971516401401815","length":6972},"target":{"function":"lsquic_engine_new","file":"src/liblsquic/lsquic_engine.c"},"id":"CVE-2025-24947-eebe2be9","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false},{"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["158101576469368378083221891479110692403","35798472108641361408046344602272902884","119195625826983078635044225452783855403","35044991210037070895591892692984545133","200850359553956789009477305730139211195","338340488532815096752211221746175293176","35781053976226069640111623722367514496","292005839698968802905890088035225074778","44480742856262203109575049192067977670","173923905533012682892912123335190270220","209969339267488152120176332878343431434","67660669521684685369115612780329379226","38733338093627987958926954508471294829","152748199495814193659686934987192058014","265567845813515411975538192599720448861","51716750726338994485668562374214031262","8468814426384424079763078830199673630","70564941568509080891076333190406322236","249111058216686546322968356664924251092","203084820232596732601811958847848195760","64099874749760522158484759796282388760","199965695901315992947109250271943039001","206964075882775822406804503525691451745","175221030744826054649887967381676707969"]},"target":{"file":"src/liblsquic/lsquic_mini_conn_ietf.c"},"id":"CVE-2025-24947-f78ad475","source":"https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1","signature_version":"v1","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}