New QUIC-LEAK Vulnerability Exposes Servers to Memory Exhaustion and Denial-of-Service

A critical vulnerability in the widely-used LSQUIC QUIC implementation that allows attackers to crash servers through memory exhaustion before any connection handshake is established.

The vulnerability, designated CVE-2025-54939 and dubbed “QUIC-LEAK,” bypasses all standard QUIC protection mechanisms and affects the second most popular QUIC implementation globally.

QUIC-LEAK exploits a fundamental weakness in how LSQUIC processes coalesced packets within UDP datagrams.

The vulnerability occurs during the parsing of QUIC Initial packets, which are used to establish connections and must meet specific size requirements of at least 1200 bytes according to RFC 9000.

Attackers can craft malicious UDP datagrams containing multiple Initial packets with varying Destination Connection IDs (DCIDs).

While QUIC protocol specifications require clients to use consistent DCIDs until receiving a server response, LSQUIC fails to properly validate these identifiers in coalesced packets.

The implementation allocates memory for each packet but only frees the first valid packet, creating persistent memory leaks for subsequent invalid packets.

On Amazon Web Services, LiteSpeed ranks among the top three most popular web servers in the Marketplace, with prebuilt stacks for Node.js, WordPress, and other applications.

The attack works by sending UDP datagrams containing one valid Initial packet followed by multiple packets with incorrect DCIDs.

Each malformed packet consumes approximately 96 bytes of RAM through the packet_in structure, but these allocations are never released.

Since the vulnerability triggers before handshake completion, it circumvents all QUIC connection-level safeguards including connection limits, stream controls, and flow regulation mechanisms.

QUIC-LEAK Vulnerability

LSQUIC powers QUIC and HTTP/3 support across all LiteSpeed Web Server and OpenLiteSpeed installations, making this vulnerability particularly concerning given LiteSpeed’s market penetration.

A single UDP datagram can hold up to ~65,535 bytes but on a typical 1500-byte MTU path the UDP payload is usually 1472 bytes.

As of 2025, LiteSpeed serves over 14% of all websites and more than 34% of HTTP/3-enabled sites, positioning it as the second most common HTTP/3 server implementation after Cloudflare Quiche.

The vulnerability poses significant risks to hosting providers and cloud platforms utilizing LiteSpeed infrastructure.

Testing demonstrated the attack’s effectiveness against real-world deployments.

Using a 512 MiB OpenLiteSpeed server running WordPress, researchers showed that sustained attacks could rapidly exhaust available memory, triggering out-of-memory conditions and rendering services unresponsive.

The attack achieves memory consumption growth at approximately 70% of bandwidth rate, making it highly effective over extended periods.

Major security vendors including Akamai and Cloudflare have been notified to help protect their customers’ infrastructure.

Mitigations

The vulnerability was responsibly disclosed to LiteSpeed Technologies on July 15, 2025. The company responded promptly, releasing patches in LSQUIC version 4.3.1 on July 18, 2025.

Updated versions of affected products—OpenLiteSpeed 1.8.4 and LiteSpeed Web Server 6.3.4—were released on August 1, 2025, incorporating the security fixes.

MITRE assigned the vulnerability CVE-2025-54939 with an initial CVSS 3.1 base score of 5.3, though researchers argue the availability impact warrants a higher rating of 7.5 based on demonstrated real-world exploitation potential.

Organizations should immediately upgrade to patched versions of LSQUIC-dependent software.

For systems unable to upgrade immediately, administrators should implement network-level protections, enforce memory usage limits on exposed services, and monitor for unusual UDP traffic patterns.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.