CVE-2025-29908: Netty QUIC hash collision DoS attack

Published Mar 31, 2025
·
Updated

An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).

See https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory

Other sources

Netty QUIC codec is a QUIC codec for netty which makes use of quiche. An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). This vulnerability is fixed in 0.0.71.Final.

NVD

Affected Software

3 affected componentsFixes available
maven/io.netty.incubator:netty-incubator-codec-quic<0.0.71.Final
0.0.71.Final
IBM Guardium Data Protection<=12.0
IBM Guardium Data Protection<=12.1

Event History

Mar 31, 2025
CVE Published
via MITRE·06:43 PM
Data Sourced
via MITRE·06:43 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·09:47 PM
May 27, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-29908?

CVE-2025-29908 has a high severity rating due to its potential to trigger a Hash DoS attack on the server.

2

How do I fix CVE-2025-29908?

To mitigate CVE-2025-29908, upgrade to version 0.0.71.Final of the netty-incubator-codec-quic package or later, or ensure that IBM Guardium Data Protection is updated to version 12.1 or higher.

3

Which systems are affected by CVE-2025-29908?

CVE-2025-29908 affects the io.netty.incubator:netty-incubator-codec-quic package and IBM Guardium Data Protection versions up to and including 12.1.

4

What is a Hash DoS attack in the context of CVE-2025-29908?

A Hash DoS attack related to CVE-2025-29908 exploits hash collisions to overload server CPU usage by initiating multiple connections with colliding Source Connection IDs.

5

Is there a known exploit for CVE-2025-29908?

As of now, there are no publicly disclosed exploits specific to CVE-2025-29908, but the vulnerability poses significant risk and should be addressed promptly.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2025-29908 - Netty QUIC hash collision DoS attack - SecAlerts