CVE-2025-29908 MEDIUM

CVE-2025-29908: Netty QUIC hash collision DoS attack

Vendor Netty
Product netty-incubator-codec-quic
Weakness CWE-407
Published March 31, 2025
Last update April 1, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Netty QUIC codec is a QUIC codec for netty which makes use of quiche. An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This vulnerability is fixed in 0.0.71.Final.

Key dates

02Disclosure timeline

March 31, 2025 CVE published
April 1, 2025 Record updated