LiteSpeed Technologies has issued an urgent security update after discovering a critical vulnerability in its LSQUIC library (responsible for QUIC and HTTP/3 support) as well as in all of its server products: LiteSpeed Web Server (LSWS), LiteSpeed Web ADC (LSADC), and OpenLiteSpeed (OLS).
The flaw, tracked as CVE-2025-54939, was reported by Yohann Sillam from Imperva’s Offensive Security Team. According to LiteSpeed, the bug can be easily exploited and allows attackers to trigger uncontrolled memory leaks, potentially leading to a full Denial-of-Service (DoS).
What’s the Vulnerability About?
The issue has been classified as an Allocation of Resources Without Limits or Throttling vulnerability. In practical terms, attackers can send specifically crafted UDP packets to the HTTP/QUIC service port, forcing the server to allocate memory without restriction.
This unbounded memory consumption can eventually crash the process or exhaust server resources, causing websites, applications, and critical services to go offline.
Affected Products
The vulnerability impacts all LiteSpeed products using the LSQUIC library:
- LiteSpeed Web Server (LSWS) → versions prior to 6.3.4
- LiteSpeed Web ADC (LSADC) → versions prior to 3.3.1
- OpenLiteSpeed (OLS) → versions prior to 1.8.4
- LSQUIC Library → versions prior to 4.3.1
This includes both commercial editions and the widely used open-source version OpenLiteSpeed, particularly popular in WordPress and WooCommerce hosting environments.
Timeline of the Discovery
- July 15, 2025 → Imperva reported the issue to LiteSpeed.
- July 18, 2025 → Patch added to internal repositories for upcoming releases.
- August 1, 2025 → LSWS 6.3.4 and OLS 1.8.4 released.
- August 4, 2025 → LSADC 3.3.1 released.
- August 13, 2025 → LSQUIC 4.3.1 published on GitHub.
- August 18, 2025 → Public security advisory issued.
Recommended Actions for Administrators
LiteSpeed strongly advises upgrading to the latest versions:
- LSWS → v6.3.4 or higher
- LSADC → v3.3.1 or higher
- OLS → v1.8.4 or higher
- LSQUIC → v4.3.1 or higher
If immediate upgrades are not possible, disabling HTTP/3 is recommended as a temporary mitigation.
Impact on OpenLiteSpeed and Managed Services
The open-source OpenLiteSpeed is also affected, raising concerns for the large number of servers running it in production. Managed hosting providers such as RunCloud have announced plans to automatically roll out updates to OLS v1.8.4 across all connected servers, minimizing the risk for their customers.
Why This Matters
This incident underscores the importance of keeping servers patched and updated. While protocols like QUIC and HTTP/3 deliver major performance and security improvements, they also introduce new attack surfaces that cybercriminals can exploit.
LiteSpeed has thanked the Imperva Offensive Security Team for responsibly reporting the issue and emphasized that users already running patched versions are safe. Those who have not updated, however, remain exposed to potential denial-of-service attacks.
Frequently Asked Questions (FAQ)
1. What is LSQUIC?
It’s the LiteSpeed library that implements QUIC and HTTP/3, modern internet protocols designed to speed up page loads and enhance secure data transmission.
2. How dangerous is CVE-2025-54939?
It can be exploited remotely and easily, allowing attackers to trigger unbounded memory leaks that crash the server, resulting in a Denial-of-Service.
3. Is OpenLiteSpeed affected?
Yes. OpenLiteSpeed versions prior to 1.8.4 are vulnerable. Administrators should update immediately or disable HTTP/3 until the patch is applied.
4. Could this affect my WordPress or WooCommerce site?
Yes, if your site is hosted on LiteSpeed or OpenLiteSpeed servers that haven’t been updated. While the bug affects the server software, the result could be downtime for your site.
5. Where can I get the official patches?
Updates are available via the official LiteSpeed blog and the LSQUIC GitHub repository.
If you’re running LiteSpeed or OpenLiteSpeed, update now. If not, disable HTTP/3 as a temporary safeguard.
sources: blog.litespeedtech.com and Imperva
