LiteSpeed Security Update

We have a security update for LiteSpeed’s QUIC and HTTP/3 Library (LSQUIC), and all three LiteSpeed server products. Recently we were made aware of a vulnerability affecting LSQUIC. We patched this vulnerability in v4.3.1.

Please update to the latest versions of LSQUIC and all LiteSpeed server products.

This Allocation of Resources Without Limits or Throttling vulnerability, reported by Yohann Sillam from Imperva Offensive Team, has been assigned CVE-2025-54939.

Impact

UDP packets, crafted in a particular way and sent to the HTTP/QUIC service port, can cause an unbounded memory leak. This has the potential to cause the process or the server to run out of memory, eventually leading to a Denial of Service.

This vulnerability in the LSQUIC Library affects all server products and may be easily exploited.

Actions

We strongly recommend that those using the QUIC and HTTP/3 library upgrade to LSQUIC version 4.3.1 or higher to patch this vulnerability.

Additionally, those who are using LiteSpeed server products, should upgrade to the following versions of these products immediately:

• LiteSpeed Web Server (LSWS) v6.3.4 or higher
• LiteSpeed Web ADC (LSADC) v3.3.1 or higher
• OpenLiteSpeed (OLS) v1.8.4 or higher

If you cannot upgrade your server at this time, you can disable HTTP/3 to avoid this vulnerability.

Timeline

• July 15, 2025: We were alerted to the issue.
• July 18, 2025: Patch was added to our internal repo to be included in all subsequent builds of our commercial server products
• August 1, 2025: Released LSWS v6.3.4 and OLS v1.8.4
• August 4, 2025: Released LSADC v3.3.1
• August 13, 2025: Released LSQUIC v4.3.1 to the GitHub repository

Conclusion

We thank Imperva Offensive Team for bringing this issue to our attention. This vulnerability has been patched, so if you are keeping your LSQUIC library or your LiteSpeed server products up-to-date, there is nothing you need to do. If you have not updated in a while, please do so today.