Scope and Impact

🛡 Fortunately, this configuration appears to affect a very small fraction of websites (likely under 0.1% globally). However, due to the simplicity of the exploit, this vulnerability is still extremely dangerous and could be used as a vector for denial-of-service (DoS) attacks.

📬 On May 8, 2025, we submitted our findings to LiteSpeed Technologies Inc., along with detailed recommendations on how to detect and recover from a potential attack.

⏱ Just 1 hour and 34 minutes later, Ruikai Wang from LiteSpeed confirmed they were able to reproduce the issue. Their engineers are now actively working on a fix.

How the Vulnerability Affects Server Behavior

After an attack, the vulnerability typically manifests when accessing valid URLs that should return a standard HTTP 200 response, but instead return a 404, as if the server no longer recognizes its own directory structure.

This behavior may also affect broken relative links, making it seem as though the server has lost its reference to the current working directory. In all cases, the result is a website that appears partially or completely broken.

If this occurs, a temporary workaround is to open your .htaccess file, make a minimal edit, such as adding or removing a blank line or space and save it. This forces LiteSpeed to reload its configuration, which typically restores normal behavior.

Please note: this does not prevent the vulnerability from being triggered again. A full patch from LiteSpeed Technologies will be necessary to resolve the issue permanently.

Bug Exploitation Demonstration (Proof of Concept)

curl -v -I "https://www.WEBSITE.com/." --path-as-is

🔍 Explanation of Each Part: curl - This is the command-line tool used to make HTTP requests. It's often used for testing APIs, debugging web servers, or retrieving content from URLs.
-v - This enables verbose mode, which means curl will display detailed information about the request and response, including the headers sent and received, connection details, and more. It's helpful for debugging.
-I - This tells curl to make a HEAD request instead of a GET. A HEAD request retrieves only the HTTP headers, without downloading the actual content of the page. Useful for checking server responses, redirects, content type, etc.
"https://www.WEBSITE.com/." - This is the target URL. Note the unusual use of /. at the end
The dot (.) is technically valid, and some servers will treat / and /. differently.
It can be used to bypass certain redirects, caching rules, or URL normalization, depending on how the web server is configured.
--path-as-is - This flag instructs curl not to normalize the URL path. By default, curl might convert things like "/." into "/". This option ensures that the exact path provided is sent to the server without any modification, which is important when testing for edge cases, misconfigurations, or path-related vulnerabilities.

Applying LiteSpeed Built fix and test

Will be in the next release but right now it's a debug builtl

/usr/local/lsws/admin/misc/lsup.sh -f -v 6.3.3 -d