Search
Find a vulnerability
Search criteria
2 vulnerabilities found for Streams for Apache Kafka 2.9.1 by Red Hat
CVE-2025-1634 (GCVE-0-2025-1634)
Vulnerability from nvd – Published: 2025-02-26 16:56 – Updated: 2026-05-06 16:47
VLAI
Title
Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout
Summary
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:12511 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:1884 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:1885 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:2067 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:23417 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:9922 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2025-1634 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2347319 | issue-trackingx_refsource_REDHAT |
| https://github.com/quarkusio/quarkus/issues/46412 | |
| https://github.com/quarkusio/quarkus/pull/46419 |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
0 , < 3.8.6
(semver)
Affected: 0 , < 3.15.3 (semver) |
|||
| Red Hat | Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 |
cpe:/a:redhat:camel_quarkus:3.15 |
|
| Red Hat | Red Hat build of Quarkus 3.15.3.SP1 |
cpe:/a:redhat:quarkus:3.15::el8 |
|
| Red Hat | Red Hat build of Quarkus 3.8.6.SP3 |
cpe:/a:redhat:quarkus:3.8::el8 |
|
| Red Hat | Streams for Apache Kafka 2.9.1 |
cpe:/a:redhat:amq_streams:2.9::el9 |
|
| Red Hat | Streams for Apache Kafka 3.0.0 |
cpe:/a:redhat:amq_streams:3.0::el9 |
|
| Red Hat | Streams for Apache Kafka 3.1.0 |
cpe:/a:redhat:amq_streams:3.1::el9 |
|
| Red Hat | Red Hat build of Quarkus |
cpe:/a:redhat:quarkus:3 |
Date Public
2025-02-24 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T17:22:33.342704Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T17:25:47.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/quarkusio/quarkus",
"defaultStatus": "unaffected",
"packageName": "quarkus-resteasy",
"versions": [
{
"lessThan": "3.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "3.15.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:camel_quarkus:3.15"
],
"defaultStatus": "unaffected",
"packageName": "quarkus-resteasy",
"product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3.15::el8"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Quarkus 3.15.3.SP1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3.8::el8"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Quarkus 3.8.6.SP3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:2.9::el9"
],
"defaultStatus": "unaffected",
"product": "Streams for Apache Kafka 2.9.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:3.0::el9"
],
"defaultStatus": "unaffected",
"product": "Streams for Apache Kafka 3.0.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:3.1::el9"
],
"defaultStatus": "unaffected",
"packageName": "quarkus-resteasy",
"product": "Streams for Apache Kafka 3.1.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3"
],
"defaultStatus": "affected",
"packageName": "quarkus-resteasy",
"product": "Red Hat build of Quarkus",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T16:47:36.632Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:12511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"name": "RHSA-2025:1884",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:1884"
},
{
"name": "RHSA-2025:1885",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:1885"
},
{
"name": "RHSA-2025:2067",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:2067"
},
{
"name": "RHSA-2025:23417",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"name": "RHSA-2025:9922",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:9922"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-1634"
},
{
"name": "RHBZ#2347319",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"url": "https://github.com/quarkusio/quarkus/issues/46412"
},
{
"url": "https://github.com/quarkusio/quarkus/pull/46419"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-24T14:17:31.237Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-24T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-1634",
"datePublished": "2025-02-26T16:56:23.869Z",
"dateReserved": "2025-02-24T14:23:22.369Z",
"dateUpdated": "2026-05-06T16:47:36.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1634 (GCVE-0-2025-1634)
Vulnerability from cvelistv5 – Published: 2025-02-26 16:56 – Updated: 2026-05-06 16:47
VLAI
Title
Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout
Summary
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
10 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:12511 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:1884 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:1885 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:2067 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:23417 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:9922 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2025-1634 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2347319 | issue-trackingx_refsource_REDHAT |
| https://github.com/quarkusio/quarkus/issues/46412 | |
| https://github.com/quarkusio/quarkus/pull/46419 |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
|
Affected:
0 , < 3.8.6
(semver)
Affected: 0 , < 3.15.3 (semver) |
|||
| Red Hat | Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 |
cpe:/a:redhat:camel_quarkus:3.15 |
|
| Red Hat | Red Hat build of Quarkus 3.15.3.SP1 |
cpe:/a:redhat:quarkus:3.15::el8 |
|
| Red Hat | Red Hat build of Quarkus 3.8.6.SP3 |
cpe:/a:redhat:quarkus:3.8::el8 |
|
| Red Hat | Streams for Apache Kafka 2.9.1 |
cpe:/a:redhat:amq_streams:2.9::el9 |
|
| Red Hat | Streams for Apache Kafka 3.0.0 |
cpe:/a:redhat:amq_streams:3.0::el9 |
|
| Red Hat | Streams for Apache Kafka 3.1.0 |
cpe:/a:redhat:amq_streams:3.1::el9 |
|
| Red Hat | Red Hat build of Quarkus |
cpe:/a:redhat:quarkus:3 |
Date Public
2025-02-24 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-26T17:22:33.342704Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-26T17:25:47.506Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/quarkusio/quarkus",
"defaultStatus": "unaffected",
"packageName": "quarkus-resteasy",
"versions": [
{
"lessThan": "3.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "3.15.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:camel_quarkus:3.15"
],
"defaultStatus": "unaffected",
"packageName": "quarkus-resteasy",
"product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3.15::el8"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Quarkus 3.15.3.SP1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3.8::el8"
],
"defaultStatus": "unaffected",
"product": "Red Hat build of Quarkus 3.8.6.SP3",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:2.9::el9"
],
"defaultStatus": "unaffected",
"product": "Streams for Apache Kafka 2.9.1",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:3.0::el9"
],
"defaultStatus": "unaffected",
"product": "Streams for Apache Kafka 3.0.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:amq_streams:3.1::el9"
],
"defaultStatus": "unaffected",
"packageName": "quarkus-resteasy",
"product": "Streams for Apache Kafka 3.1.0",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:quarkus:3"
],
"defaultStatus": "affected",
"packageName": "quarkus-resteasy",
"product": "Red Hat build of Quarkus",
"vendor": "Red Hat"
}
],
"datePublic": "2025-02-24T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T16:47:36.632Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:12511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:12511"
},
{
"name": "RHSA-2025:1884",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:1884"
},
{
"name": "RHSA-2025:1885",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:1885"
},
{
"name": "RHSA-2025:2067",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:2067"
},
{
"name": "RHSA-2025:23417",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"name": "RHSA-2025:9922",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:9922"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-1634"
},
{
"name": "RHBZ#2347319",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"url": "https://github.com/quarkusio/quarkus/issues/46412"
},
{
"url": "https://github.com/quarkusio/quarkus/pull/46419"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-24T14:17:31.237Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-02-24T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-1634",
"datePublished": "2025-02-26T16:56:23.869Z",
"dateReserved": "2025-02-24T14:23:22.369Z",
"dateUpdated": "2026-05-06T16:47:36.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}