CVE-2025-23020: Kwik hash collision vulnerability

February 20, 2025

An issue was discovered in Kwik before 0.10.1. A hash collision vulnerability (in the hash table used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs).

References

github.com/advisories/GHSA-9f57-9rhg-4hvm
github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory
github.com/ptrd/kwik
github.com/ptrd/kwik/commit/b0733d72bad76bc5d8df2f4a7792ebb2539ebdc8
github.com/ptrd/kwik/releases/tag/v0.10.1
nvd.nist.gov/vuln/detail/CVE-2025-23020

Detect and mitigate CVE-2025-23020 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →