Medium severity5.3NVD Advisory· Published Feb 20, 2025· Updated Apr 15, 2026

CVE-2025-24947

Description

A hash collision vulnerability (in the hash table used to manage connections) in LSQUIC (aka LiteSpeed QUIC) before 4.2.0 allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This is caused by XXH32 usage.

Patches

7686d8fcef28

https://github.com/litespeedtech/lsquicvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/litespeedtech/lsquic/releases/tag/v4.2.0nvd
xxhash.comnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000