CVE-2025-29908: 
Java vulnerability analysis and mitigation

A hash collision vulnerability was discovered in Netty QUIC codec, a QUIC codec for netty which makes use of quiche. The vulnerability (CVE-2025-29908) allows remote attackers to cause a considerable CPU load on the server through a Hash DoS attack by initiating connections with colliding Source Connection IDs (SCIDs). The vulnerability affects versions prior to 0.0.71.Final and was disclosed on March 31, 2025 (GitHub Advisory).

The vulnerability exploits the algorithmic complexity of hash tables when managing QUIC connections. The issue stems from using a weak hash function in the hash map implementation that manages connections using Source Connection IDs (SCIDs) as keys. When attackers generate colliding SCIDs, they can trigger the worst-case performance of the hash table, causing the complexity to grow from constant time O(1) to quadratic time O(n²) (QUIC Hash DoS). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

When exploited, this vulnerability can cause significant server performance degradation. Experimental results showed that vulnerable implementations could suffer a 300x slowdown with just 10,000 parallel connections initiated by malicious clients. The attack is particularly effective due to its asymmetric nature - attackers can induce significant computational burden with minimal effort while the server bears the majority of the processing load (QUIC Hash DoS).

The vulnerability has been fixed in version 0.0.71.Final by implementing a custom hash map that uses SipHash 1-3 for connection ID hashing. The fix prevents hash collision attacks by using a cryptographically secure hashing algorithm. Users should upgrade to version 0.0.71.Final or later to address this vulnerability (GitHub Commit).