CVE-2025-54939

MEDIUM LAB

LiteSpeed QUIC Library < 4.3.1 - Memory Leak in lsquic_engine_packet_in

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-54939. PoCs published by yohannslm.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2025-54939, a pre-handshake memory exhaustion vulnerability in LSQUIC. The exploit sends malformed QUIC packets to trigger a memory leak, leading to a Denial of Service (DoS) condition.

Description

LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.

Exploits (1)

nomisec WORKING POC
by yohannslm · poc
https://github.com/yohannslm/CVE-2025-54939

This repository contains a functional PoC for CVE-2025-54939, a pre-handshake memory exhaustion vulnerability in LSQUIC. The exploit sends malformed QUIC packets to trigger a memory leak, leading to a Denial of Service (DoS) condition.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: LSQUIC < 4.3.1, OpenLiteSpeed < 1.8.4, LiteSpeed Web Server < 6.3.4
No auth needed
Prerequisites: Network access to the target server · QUIC protocol support on the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.3
EPSS 0.0077
EPSS Percentile 50.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull mariadb:11.4
docker pull bitnami/phpmyadmin:5.2.2
docker pull redis:alpine

Details

CWE
CWE-770 CWE-401
Status published
Products (4)
litespeedtech/litespeed_web_adc < 3.3.1
litespeedtech/litespeed_web_server < 6.3.4
litespeedtech/lsquic < 4.3.1
litespeedtech/openlitespeed < 1.8.4
Published Aug 01, 2025
Tracked Since Feb 18, 2026