Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Red Hat build of Quarkus 3.8.6.SP3 by Red Hat

    CVE-2025-1634 (GCVE-0-2025-1634)

    Vulnerability from nvd – Published: 2025-02-26 16:56 – Updated: 2026-05-06 16:47
    VLAI
    Title
    Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout
    Summary
    A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    Impacted products
    Date Public
    2025-02-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1634",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-26T17:22:33.342704Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-26T17:25:47.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/quarkusio/quarkus",
              "defaultStatus": "unaffected",
              "packageName": "quarkus-resteasy",
              "versions": [
                {
                  "lessThan": "3.8.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.15.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3.15"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-resteasy",
              "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.15::el8"
              ],
              "defaultStatus": "unaffected",
              "product": "Red Hat build of Quarkus 3.15.3.SP1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.8::el8"
              ],
              "defaultStatus": "unaffected",
              "product": "Red Hat build of Quarkus 3.8.6.SP3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:2.9::el9"
              ],
              "defaultStatus": "unaffected",
              "product": "Streams for Apache Kafka 2.9.1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:3.0::el9"
              ],
              "defaultStatus": "unaffected",
              "product": "Streams for Apache Kafka 3.0.0",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:3.1::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-resteasy",
              "product": "Streams for Apache Kafka 3.1.0",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3"
              ],
              "defaultStatus": "affected",
              "packageName": "quarkus-resteasy",
              "product": "Red Hat build of Quarkus",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2025-02-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T16:47:36.632Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:12511",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:12511"
            },
            {
              "name": "RHSA-2025:1884",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1884"
            },
            {
              "name": "RHSA-2025:1885",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1885"
            },
            {
              "name": "RHSA-2025:2067",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:2067"
            },
            {
              "name": "RHSA-2025:23417",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:23417"
            },
            {
              "name": "RHSA-2025:9922",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:9922"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-1634"
            },
            {
              "name": "RHBZ#2347319",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
            },
            {
              "url": "https://github.com/quarkusio/quarkus/issues/46412"
            },
            {
              "url": "https://github.com/quarkusio/quarkus/pull/46419"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-24T14:17:31.237Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-02-24T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-1634",
        "datePublished": "2025-02-26T16:56:23.869Z",
        "dateReserved": "2025-02-24T14:23:22.369Z",
        "dateUpdated": "2026-05-06T16:47:36.632Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1247 (GCVE-0-2025-1247)

    Vulnerability from nvd – Published: 2025-02-13 13:26 – Updated: 2026-03-23 16:52
    VLAI
    Title
    Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance
    Summary
    A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-488 - Exposure of Data Element to Wrong Session
    Assigner
    References
    Impacted products
    Vendor Product Version
    Affected: 0 , < 3.18.2 (semver)
    Red Hat Red Hat Build of Apache Camel 4.8 for Quarkus 3.15     cpe:/a:redhat:camel_quarkus:3.15
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.15.3.SP1     cpe:/a:redhat:quarkus:3.15::el8
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.8.6.SP3     cpe:/a:redhat:quarkus:3.8::el8
    Create a notification for this product.
    Date Public
    2025-02-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1247",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T14:11:32.786242Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T14:11:38.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/quarkusio/quarkus/",
              "defaultStatus": "unaffected",
              "packageName": "quarkus-rest",
              "versions": [
                {
                  "lessThan": "3.18.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3.15"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus/quarkus-rest",
              "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.15::el8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus/quarkus-rest",
              "product": "Red Hat build of Quarkus 3.15.3.SP1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.8::el8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus/quarkus-rest",
              "product": "Red Hat build of Quarkus 3.8.6.SP3",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2025-02-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-488",
                  "description": "Exposure of Data Element to Wrong Session",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-23T16:52:29.190Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:1884",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1884"
            },
            {
              "name": "RHSA-2025:1885",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1885"
            },
            {
              "name": "RHSA-2025:2067",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:2067"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-1247"
            },
            {
              "name": "RHBZ#2345172",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"
            },
            {
              "url": "https://github.com/quarkusio/quarkus/issues/45789"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-12T09:30:25.106Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-02-12T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-1247",
        "datePublished": "2025-02-13T13:26:26.992Z",
        "dateReserved": "2025-02-12T09:43:11.716Z",
        "dateUpdated": "2026-03-23T16:52:29.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1634 (GCVE-0-2025-1634)

    Vulnerability from cvelistv5 – Published: 2025-02-26 16:56 – Updated: 2026-05-06 16:47
    VLAI
    Title
    Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout
    Summary
    A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    Assigner
    Impacted products
    Date Public
    2025-02-24 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1634",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-26T17:22:33.342704Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-26T17:25:47.506Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/quarkusio/quarkus",
              "defaultStatus": "unaffected",
              "packageName": "quarkus-resteasy",
              "versions": [
                {
                  "lessThan": "3.8.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.15.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3.15"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-resteasy",
              "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.15::el8"
              ],
              "defaultStatus": "unaffected",
              "product": "Red Hat build of Quarkus 3.15.3.SP1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.8::el8"
              ],
              "defaultStatus": "unaffected",
              "product": "Red Hat build of Quarkus 3.8.6.SP3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:2.9::el9"
              ],
              "defaultStatus": "unaffected",
              "product": "Streams for Apache Kafka 2.9.1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:3.0::el9"
              ],
              "defaultStatus": "unaffected",
              "product": "Streams for Apache Kafka 3.0.0",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:3.1::el9"
              ],
              "defaultStatus": "unaffected",
              "packageName": "quarkus-resteasy",
              "product": "Streams for Apache Kafka 3.1.0",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3"
              ],
              "defaultStatus": "affected",
              "packageName": "quarkus-resteasy",
              "product": "Red Hat build of Quarkus",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2025-02-24T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T16:47:36.632Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:12511",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:12511"
            },
            {
              "name": "RHSA-2025:1884",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1884"
            },
            {
              "name": "RHSA-2025:1885",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1885"
            },
            {
              "name": "RHSA-2025:2067",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:2067"
            },
            {
              "name": "RHSA-2025:23417",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:23417"
            },
            {
              "name": "RHSA-2025:9922",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:9922"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-1634"
            },
            {
              "name": "RHBZ#2347319",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
            },
            {
              "url": "https://github.com/quarkusio/quarkus/issues/46412"
            },
            {
              "url": "https://github.com/quarkusio/quarkus/pull/46419"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-24T14:17:31.237Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-02-24T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-1634",
        "datePublished": "2025-02-26T16:56:23.869Z",
        "dateReserved": "2025-02-24T14:23:22.369Z",
        "dateUpdated": "2026-05-06T16:47:36.632Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1247 (GCVE-0-2025-1247)

    Vulnerability from cvelistv5 – Published: 2025-02-13 13:26 – Updated: 2026-03-23 16:52
    VLAI
    Title
    Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance
    Summary
    A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-488 - Exposure of Data Element to Wrong Session
    Assigner
    References
    Impacted products
    Vendor Product Version
    Affected: 0 , < 3.18.2 (semver)
    Red Hat Red Hat Build of Apache Camel 4.8 for Quarkus 3.15     cpe:/a:redhat:camel_quarkus:3.15
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.15.3.SP1     cpe:/a:redhat:quarkus:3.15::el8
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.8.6.SP3     cpe:/a:redhat:quarkus:3.8::el8
    Create a notification for this product.
    Date Public
    2025-02-12 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1247",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-13T14:11:32.786242Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-13T14:11:38.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/quarkusio/quarkus/",
              "defaultStatus": "unaffected",
              "packageName": "quarkus-rest",
              "versions": [
                {
                  "lessThan": "3.18.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3.15"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus/quarkus-rest",
              "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.15::el8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus/quarkus-rest",
              "product": "Red Hat build of Quarkus 3.15.3.SP1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.8::el8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus/quarkus-rest",
              "product": "Red Hat build of Quarkus 3.8.6.SP3",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2025-02-12T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Important"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-488",
                  "description": "Exposure of Data Element to Wrong Session",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-23T16:52:29.190Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:1884",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1884"
            },
            {
              "name": "RHSA-2025:1885",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:1885"
            },
            {
              "name": "RHSA-2025:2067",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:2067"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-1247"
            },
            {
              "name": "RHBZ#2345172",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"
            },
            {
              "url": "https://github.com/quarkusio/quarkus/issues/45789"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-12T09:30:25.106Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-02-12T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance",
          "workarounds": [
            {
              "lang": "en",
              "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-1247",
        "datePublished": "2025-02-13T13:26:26.992Z",
        "dateReserved": "2025-02-12T09:43:11.716Z",
        "dateUpdated": "2026-03-23T16:52:29.190Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }