CVE-2024-25678

CRITICAL

Published Feb 9, 2024 Modified Jun 20, 2025 CWE-354

Description

In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.

CVSS v3.1 Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness Type (CWE)

CWE-354 CWE-354

Affected Products

Vendor	Product	Versions
litespeedtech	lsquic	< 4.0.4

References

Advisories & Patches

https://github.com/litespeedtech/lsquic/commit/515f453556c99d27c4dddb5424898dc1a5537708 https://github.com/litespeedtech/lsquic/commit/515f453556c99d27c4dddb5424898dc1a5537708

Other References

https://github.com/litespeedtech/lsquic/releases/tag/v4.0.4 https://www.rfc-editor.org/rfc/rfc9001 https://github.com/litespeedtech/lsquic/releases/tag/v4.0.4 https://www.rfc-editor.org/rfc/rfc9001

Frequently Asked Questions

What is CVE-2024-25678? +

In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled. It has a CVSS v3.1 base score of 9.8 (CRITICAL).

How severe is CVE-2024-25678? +

CVE-2024-25678 has a CVSS v3.1 score of 9.8 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2024-25678? +

CVE-2024-25678 affects products from litespeedtech, specifically: lsquic. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-25678? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-7402

Netskope has identified a potential gap in its agent (Netskope Client) in which a malicious insider can potentially tamper the …

CVE-2025-4616

An insufficient validation of an untrusted input vulnerability in Palo Alto Networks Prisma® Browser allows a locally authenticated non-admin user …

CVE-2024-48930

secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` …

CVE-2025-11543 9.8

Improper Validation of Integrity Check Value vulnerability in Sharp Display Solutions projectors allows a attacker may create and run unauthorized …

CVE-2025-54887 9.1

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication …

CVE-2024-3596 9.0

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response …