Miggo Logo
Miggo Vulnerability Database
CVE-2025-23020

CVE-2025-23020: Kwik hash collision vulnerability

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-23020
GHSA ID
GHSA-9f57-9rhg-4hvm
EPSS Score
0.16658%
CWE
CWE-407
Published
2/20/2025
Updated
2/20/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
tech.kwik:kwikmaven< 0.10.10.10.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using Arrays.hashCode() for ConnectionSource keys in the connection registry's hash table. The patch replaces this with a cryptographically secure SipHash implementation. In runtime profiling during exploitation:

  1. ConnectionSource.hashCode() would show high CPU usage due to hash collisions
  2. ServerConnectionRegistry methods like registerConnection/isExistingConnection would appear in stack traces as they perform hash table operations
  3. The original Arrays.hashCode-based implementation would dominate profiling samples during a HashDoS attack due to collision resolution overhead

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Kwik ***or* *.**.*. * **s* *ollision vuln*r**ility (in t** **s* t**l* us** to m*n*** *onn**tions) *llows r*mot* *tt**k*rs to **us* * *onsi**r**l* *PU lo** on t** s*rv*r (* **s* *oS *tt**k) *y initi*tin* *onn**tions wit* *ol

Reasoning

T** vuln*r**ility st*mm** *rom usin* *rr*ys.**s**o**() *or *onn**tionSour** k*ys in t** *onn**tion r**istry's **s* t**l*. T** p*t** r*pl***s t*is wit* * *rypto*r*p*i**lly s**ur* Sip**s* impl*m*nt*tion. In runtim* pro*ilin* *urin* *xploit*tion: *. *on