Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-54939

LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak.

Published

2025-08-01T06:15:28.860

Last Modified

2025-08-27T15:52:46.787

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-770
Type: Primary
CWE-401

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	litespeedtech	litespeed_web_adc	< 3.3.1	Yes
Application	litespeedtech	litespeed_web_server	< 6.3.4	Yes
Application	litespeedtech	lsquic	< 4.3.1	Yes
Application	litespeedtech	openlitespeed	< 1.8.4	Yes

References

https://blog.litespeedtech.com/2025/08/18/litespeed-security-update/ Vendor Advisory ([email protected])
https://github.com/litespeedtech/lsquic/blob/70486141724f85e97b08f510673e29f399bbae8f/CHANGELOG#L1-L3 Release Notes ([email protected])
https://github.com/litespeedtech/lsquic/commit/4cd9252e77fb4a36b572e2167a84067d603d3b23 Release Notes ([email protected])
https://www.imperva.com/blog/quic-leak-cve-2025-54939-new-high-risk-pre-handshake-remote-denial-of-service-in-lsquic-quic-implementation/ Exploit, Third Party Advisory ([email protected])