Last month, I discovered a remote denial-of-service (DoS) vulnerability affecting Litespeed web servers in a very specific runtime environment. The exploit requires only a single malformed curl request and can crash the server instantly, no authentication or large payload required.

We took time to conduct further testing and properly document the behavior to ensure a complete and responsible disclosure. On May 8, 2025, we submitted our findings to LiteSpeed Technologies, including a way to restore the server after an attack. However, this mitigation does not prevent the vulnerability from being triggered again until a proper patch is applied.

LiteSpeed reproduced the issue within 1 hour and 34 minutes, and their engineers are currently working on a patch.

The affected configuration is rare in production but simple enough to trigger, making it noteworthy. Once the patch is released, we’ll publish the full technical breakdown, including the exact curl command.

Full article: https://reptile.tech/blog/remote-dos-specific-environment-litespeed-web-server/