CVE-2025-24947
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-24947
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24947.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-24947
- Published
- 2025-02-20T03:15:12.943Z
- Modified
- 2025-11-15T15:42:56.771246Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This is caused by XXH32 usage.
- References
Affected packages
Git / github.com/litespeedtech/lsquic
Affected ranges
- Type
- GIT
- Repo
- https://github.com/litespeedtech/lsquic
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.11.0
1.11.1
1.12.0
1.12.2
1.12.3
1.12.4
1.13.0
1.14.0
1.14.3
1.15.0
1.16.0
1.17.0
1.17.10
1.17.11
1.17.12
1.17.14
1.17.15
1.17.2
1.17.3
1.17.6
1.17.7
1.17.8
1.17.9
1.18.0
1.19.1
1.19.2
1.19.4
1.19.5
1.19.6
1.20.0
1.21.1
1.21.2
v.*
v.2.12.4
v.2.20.1
v1.*
v1.0
v1.1
v1.10
v1.10.1
v1.10.2
v1.2
v2.*
v2.10.0
v2.10.1
v2.10.3
v2.10.4
v2.10.5
v2.10.6
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.14.7
v2.14.8
v2.15.0
v2.16.0
v2.16.1
v2.16.2
v2.16.3
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.18.1
v2.18.2
v2.19.0
v2.19.1
v2.19.10
v2.19.2
v2.19.3
v2.19.4
v2.19.5
v2.19.6
v2.19.7
v2.19.8
v2.2.0
v2.20.0
v2.20.2
v2.21.0
v2.22.0
v2.22.1
v2.23.1
v2.23.2
v2.23.3
v2.24.0
v2.24.1
v2.24.2
v2.24.3
v2.24.4
v2.24.5
v2.25.0
v2.26.0
v2.26.1
v2.26.2
v2.27.0
v2.27.1
v2.27.2
v2.27.3
v2.27.4
v2.27.5
v2.27.6
v2.28.0
v2.29.0
v2.29.1
v2.29.2
v2.29.3
v2.29.4
v2.29.5
v2.29.6
v2.3.0
v2.3.1
v2.30.0
v2.30.1
v2.30.2
v2.4.0
v2.4.1
v2.4.10
v2.4.2
v2.4.3
v2.4.4
v2.4.6
v2.4.7
v2.4.8
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.5
v2.6.6
v2.6.7
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.5
v2.8.7
v2.8.8
v2.8.9
v2.9.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.2.0
v3.3.0
v3.3.1
v4.*
v4.0.0
v4.0.1
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "331194496177376350782708636509813281905",
"length": 462.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-0b3fc69a",
"target": {
"file": "src/liblsquic/lsquic_hash.c",
"function": "lsquic_hash_find"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "201971181591077529930120262608914707852",
"length": 207.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-2b30e18d",
"target": {
"file": "src/liblsquic/lsquic_pr_queue.c",
"function": "hash_req"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "996698632991710959934906725640726914",
"length": 679.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-2e408fa5",
"target": {
"file": "src/liblsquic/lsquic_hash.c",
"function": "lsquic_hash_create_ext"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"24605071423580549576537723899847986740",
"18651416707008459660285676742150561133",
"1345326658888670363703409631385888777",
"294174757279510364905652748735787618655",
"123250367470806634082513561561227254529",
"48913187206195628608025701751654155873",
"148011962983673345834863969628040122138",
"283265721823197884240009340637838477567",
"98707398714626299605352204233629346593",
"95397237026245641100212534648532785867",
"230565546244074636785658805109009124073",
"53685767684828957751365793022021467212",
"82173246192636980854319311056827848003"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-39e9ad72",
"target": {
"file": "src/liblsquic/lsquic_pr_queue.c"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"100720924724564886717283577653281820174",
"253955502954259718927760775970344020237",
"106103433094452795716240843221876678556",
"244360622141395995227337053946616039175",
"278171642127931531406447748572356474294",
"327294821826115314676830668112162255360",
"18770240076093827156413070491569352670",
"138350053306716637808865157468430924912",
"142945915459599697475468609310635585796",
"14158343152041185995156538521753606866",
"35117247606069174323779035001812940949",
"122951780674200854456395183187304536679",
"99618377044339615341514256454228405890",
"81712615928816325928227465934920584345",
"197850735979195374861395447974067069748",
"312582278505423010538481281395950646675",
"193062599501430060719823433981133326038",
"51095753324852014972585941866199193267",
"234578094523847223882501145079154350989",
"274661996372526907132097072510512620933",
"270947530749992402510489996909862822886",
"202432372528127712404327298666369542738",
"286891661241162086554644881417412258408",
"238175769054778970534395418765811733277",
"24368408664044674247191898135618035974",
"140184479409290015811431977189986922363",
"225153605314485855745920372573643076187",
"152823277523666088557030957221538801430",
"166435337336494311309477751490188130608",
"154824463779697219907967356630790232607",
"211535564628194444701583193581270875197",
"215575653901660855761761856940610754189",
"125984366792866136369700303990843204039",
"15088576596224483174212792148488519637",
"83205387582897375954731779644145895416",
"24689128199836941046113406823206869126",
"148010438870525082580786074287025922912",
"277524340181727837341041018234908717555",
"228884390659195077797669915278689024613",
"34200605667476929881175109559025762088",
"186066071508050329713179222024123360585"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-3aa0b084",
"target": {
"file": "src/liblsquic/lsquic_hash.c"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "55136375308719441237068732602421296285",
"length": 727.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-4f30bcbf",
"target": {
"file": "src/liblsquic/lsquic_hash.c",
"function": "lsquic_hash_insert"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "43863128791558959630107258078630535262",
"length": 748.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-673aea1d",
"target": {
"file": "src/liblsquic/lsquic_engine.c",
"function": "insert_conn_into_hash"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"125874471080925991195876911317785084155",
"314230014928129625539825419930630288906",
"251695956170555518547928774299251391168",
"38792559159592881866039753068430798576",
"335149926623577500680100941143460914662",
"27186076847465969795467643166108830961",
"296997246340101360914497831641959558801",
"171506861112953519727390362284451316317",
"142528164736486007591036351191269204894",
"18837941630473600591804787708710363151",
"90811065432418345411503284552064037122",
"299485180897026729998282092451827110221",
"175663710188316101164843709021691153797",
"192565228166492356221380107435935030429",
"141698262294020311135221584088821729349",
"24700930656844113332160890925915879709",
"30138702096670397510229369087533042152",
"223783215052841031244886261796703226543",
"246687933306224268942068463958326740444",
"248756084165897820754582603863302099905",
"59378708903182327759031030831656682109",
"91415596284126912844960965402475072847",
"230938066467342620326528616061310722865",
"208456018769386843703602920537764372049",
"111232390506137503245861194485972284228",
"112975644420792793765051049040721312456",
"50163092364463934025386158441136734483",
"143710330548358537441888844243397070827",
"145984554211429674372747477747045395486",
"314675775192864813181029791620091007767",
"82605689427086488878885718690865554919",
"287628884916692719578848845295170531160",
"145096658526585039236408214494688018402"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-676e0f00",
"target": {
"file": "src/liblsquic/lsquic_engine.c"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"20296430310574163273101318850586723162",
"304631991825504760583551751188750108217",
"26271713585158649411941155455083782402",
"318946058592442479538641516898205078870",
"21355032245752134941320877469204790361",
"112189166472910808991378964839850006649",
"150756525908297719192336155468659782481",
"214869824287121487505609677098320647693",
"296189073688697643136710755684419945623"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-6919db31",
"target": {
"file": "src/liblsquic/lsquic_hash.h"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "20913144286001140596056622889385015349",
"length": 179.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-6a23381a",
"target": {
"file": "src/liblsquic/lsquic_mini_conn_ietf.c",
"function": "imico_can_send"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "273168189137306048125810351016569371007",
"length": 1287.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-93314c16",
"target": {
"file": "src/liblsquic/lsquic_mini_conn_ietf.c",
"function": "ietf_mini_conn_ci_tick"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "60802930100963325553143013617536139058",
"length": 67.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-936037fe",
"target": {
"file": "src/liblsquic/lsquic_hash.c",
"function": "lsquic_hash_create"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "162017162968478994396080320863612819676",
"length": 4257.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-99747b9c",
"target": {
"file": "src/liblsquic/lsquic_engine.c",
"function": "find_or_create_conn"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"336140985318280286835521338293346298330",
"253538879491097361806988597362153659067",
"176000647035349806179022453007280218092",
"54282649956506621330006925613288356624",
"174976313501599141668170236990913381578",
"159361856034531714820946252433544524957",
"175439399700095814751318199096830133578",
"106526759665456260992474686326058421289",
"25231808440742063788599960485987971185",
"253001765901152164008067385746224215755"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-ac2c91ac",
"target": {
"file": "include/lsquic.h"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "147938490818218374369174298720915683936",
"length": 2134.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-b7cd51b9",
"target": {
"file": "src/liblsquic/lsquic_mini_conn_ietf.c",
"function": "imico_stream_write"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "145969721060898881895556031803021167798",
"length": 4307.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-d14bea38",
"target": {
"file": "src/liblsquic/lsquic_engine.c",
"function": "lsquic_engine_init_settings"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "44604473240148093185035987657777633732",
"length": 705.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-decdfeae",
"target": {
"file": "src/liblsquic/lsquic_engine.c",
"function": "lsquic_engine_retire_cid"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"199700213893545844755950895919834946916",
"137794958069003514337700550780497192619",
"196630134400791514175940574090115741017",
"44168624008657937404719187246841082283",
"237911469769918400372101345319455261011",
"97086624790535113445482123066941956235",
"244120547181834968702748493917828144952",
"91993868848748486208434129623646449442",
"108818394443936821237090849168468878806",
"177893403065683555845241843571130791668",
"290475034054965760238417002733388138877",
"327413043868561358239258564995338713474"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-eced9b09",
"target": {
"file": "src/liblsquic/lsquic_purga.c"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"function_hash": "144793357595627465923367971516401401815",
"length": 6972.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-eebe2be9",
"target": {
"file": "src/liblsquic/lsquic_engine.c",
"function": "lsquic_engine_new"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"158101576469368378083221891479110692403",
"35798472108641361408046344602272902884",
"119195625826983078635044225452783855403",
"35044991210037070895591892692984545133",
"200850359553956789009477305730139211195",
"338340488532815096752211221746175293176",
"35781053976226069640111623722367514496",
"292005839698968802905890088035225074778",
"44480742856262203109575049192067977670",
"173923905533012682892912123335190270220",
"209969339267488152120176332878343431434",
"67660669521684685369115612780329379226",
"38733338093627987958926954508471294829",
"152748199495814193659686934987192058014",
"265567845813515411975538192599720448861",
"51716750726338994485668562374214031262",
"8468814426384424079763078830199673630",
"70564941568509080891076333190406322236",
"249111058216686546322968356664924251092",
"203084820232596732601811958847848195760",
"64099874749760522158484759796282388760",
"199965695901315992947109250271943039001",
"206964075882775822406804503525691451745",
"175221030744826054649887967381676707969"
]
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-24947-f78ad475",
"target": {
"file": "src/liblsquic/lsquic_mini_conn_ietf.c"
},
"source": "https://github.com/litespeedtech/lsquic/commit/7686d8fcef284cda07a951ad74a5e90c69a9dfb1"
}
]