CVE-2025-29908

Netty QUIC hash collision DoS attack

CVSS 5.3 MEDIUMEPSS 0.5%CWE-407

In short

Netty's QUIC codec can be overwhelmed by an attacker sending specially crafted connection requests with identical hash values, causing the server to waste CPU resources and become slow or unresponsive.

Technical detail

A hash collision vulnerability in the connection management hash map of Netty QUIC codec allows remote attackers to trigger excessive CPU consumption through crafted Source Connection IDs (SCIDs). The attack requires no authentication and exploits poor hash distribution, resulting in denial of service.

Summary generated and translated by AI from the official description.

Netty QUIC codec is a QUIC codec for netty which makes use of quiche. An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This vulnerability is fixed in 0.0.71.Final.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

netty · netty-incubator-codec-quic

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory https://github.com/netty/netty-incubator-codec-quic/commit/e059bd9b78723f8b035e0c547e42ce263f03461c https://github.com/netty/netty-incubator-codec-quic/security/advisories/GHSA-hqqc-jr88-p6x2