#VU109895 Inefficient Algorithmic Complexity in netty-incubator-codec-quic - CVE-2025-29908

Cybersecurity Help s.r.o.

Published: 2025-05-28

Vulnerability identifier: #VU109895

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-29908

CWE-ID: CWE-407

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
netty-incubator-codec-quic
Other software / Other software solutions

Vendor: Netty project

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a hash collision vulnerability in the hash map used to manage connections. A remote attacker can cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs)

Mitigation
Install updates from vendor's website.

Vulnerable software versions

netty-incubator-codec-quic: 0.0.1 - 0.0.70

External links
https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory
https://github.com/netty/netty-incubator-codec-quic/commit/e059bd9b78723f8b035e0c547e42ce263f03461c
https://github.com/netty/netty-incubator-codec-quic/security/advisories/GHSA-hqqc-jr88-p6x2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Guardium Data Protection

Inefficient algorithmic complexity in Netty QUIC codec