Hash Collision Vulnerability in Netty QUIC Codec by Netty
CVE-2025-29908

5.3MEDIUM

Key Information:

Vendor: Netty
Status: Netty-incubator-codec-quic
Vendor: CVE Published:; 31 March 2025

What is CVE-2025-29908?

CVE-2025-29908 is a vulnerability found in the Netty QUIC codec, which is an essential component of the Netty framework used for building high-performance network applications. This vulnerability involves a hash collision within the mechanism managing connection IDs, which can be exploited by remote attackers to initiate numerous connections with duplicative Source Connection IDs (SCIDs). The potential outcome of such exploitation is a significant increase in CPU usage on the affected servers, leading to operational disruptions and performance degradation.

Technical Details

The vulnerability is characterized as a hash collision flaw in the hash map employed by the Netty QUIC codec. This codec leverages the quiche implementation to facilitate QUIC protocols, which are designed to enhance internet communication through multiplexing and lower latency. When attackers send specially crafted requests that create hash collisions, they effectively trigger a denial-of-service condition by overloading the server's CPU, impacting its ability to manage legitimate requests. The issue has been addressed in version 0.0.71.Final of the codec.

Potential impact of CVE-2025-29908

Performance Degradation: The primary impact of this vulnerability is the notable increase in CPU load, which can severely affect server performance. As the server struggles to handle illegitimate requests, legitimate users may experience significant slowdowns or disruptions in service.
Denial of Service (DoS): The hash collision can lead to a denial-of-service attack, where the server becomes unresponsive due to excessive resource consumption from the attack, thus rendering it unable to process valid user requests effectively.
Operational Disruption: Organizations relying on the Netty QUIC codec for critical applications may face increased downtime or degraded service quality, potentially leading to financial losses, customer dissatisfaction, and reputational damage in a competitive landscape.