CVE-2025-54939
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/08/2025
Last modified:
27/08/2025
Description
LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:litespeedtech:litespeed_web_adc:*:*:*:*:*:*:*:* | 3.3.1 (excluding) | |
| cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:* | 6.3.4 (excluding) | |
| cpe:2.3:a:litespeedtech:lsquic:*:*:*:*:*:*:*:* | 4.3.1 (excluding) | |
| cpe:2.3:a:litespeedtech:openlitespeed:*:*:*:*:*:*:*:* | 1.8.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://blog.litespeedtech.com/2025/08/18/litespeed-security-update/
- https://github.com/litespeedtech/lsquic/blob/70486141724f85e97b08f510673e29f399bbae8f/CHANGELOG#L1-L3
- https://github.com/litespeedtech/lsquic/commit/4cd9252e77fb4a36b572e2167a84067d603d3b23
- https://www.imperva.com/blog/quic-leak-cve-2025-54939-new-high-risk-pre-handshake-remote-denial-of-service-in-lsquic-quic-implementation/