CVE-2025-1247:A flaw in Quarkus REST (io.quarkus/quarkus-rest) allows request parameters to leak between concurrent requests when endpoints use field injection without a CDI scope, potentially enabling data leakage, impersonation, or access to sensitive information.

splash
Back

Description Preview

A vulnerability in Quarkus REST was discovered where request parameters can leak between concurrent requests if REST endpoints rely on field injection without an explicit CDI scope. This can enable attackers to manipulate request data, impersonate users, or access sensitive information by exploiting shared instance state across requests. The issue affects Quarkus REST prior to version 3.18.2 (including earlier 0.x releases) and is also present in Red Hat builds that bundle Quarkus REST in certain Red Hat products. The CVSS v3.1 base score is 8.3 (High), with network attack vector, low attack complexity, no user interaction, and a scope of Unchanged. The vulnerability is categorized under CWE-488: Exposure of Data Element to Wrong Session.

Overview

This section describes a concurrency-related data leakage in Quarkus REST. When endpoints use field injection without a properly defined CDI scope, data from one request can be unintentionally observable in parallel requests. This can lead to exposure of sensitive data, the ability to manipulate input data, and potential impersonation of users, all over the network without requiring user interaction. The flaw highlights the risk of non-scoped or improperly scoped beans in REST endpoints and the resulting cross-request data leakage.

Remediation

  • Upgrade to Quarkus REST version 3.18.2 or newer (or to a Red Hat build of Quarkus REST that includes the patch). This fixes the underlying data leakage by enforcing proper scoping for REST endpoint components.
  • For Red Hat product deployments, apply the relevant advisories and ensure the patched packages are installed, e.g., RHSA-2025:1884, RHSA-2025:1885, and RHSA-2025:2067.
  • Review REST endpoint implementations to avoid field injection without a CDI scope. Prefer constructor injection or method-based injection and ensure endpoints are properly scoped (e.g., using appropriate CDI scopes such as @RequestScoped) to prevent shared state between requests.
  • After upgrading, run regression and security tests (including tests that simulate concurrent requests) to verify that request parameter leakage no longer occurs.
  • If upgrading is not feasible, be aware that no satisfactory workaround is documented; plan to apply the patched release as soon as possible and monitor for vendor advisories.

References

  • RHSA-2025:1884: https://access.redhat.com/errata/RHSA-2025:1884
  • RHSA-2025:1885: https://access.redhat.com/errata/RHSA-2025:1885
  • RHSA-2025:2067: https://access.redhat.com/errata/RHSA-2025:2067
  • CVE-2025-1247: https://access.redhat.com/security/cve/CVE-2025-1247
  • RHBZ#2345172: https://bugzilla.redhat.com/show_bug.cgi?id=2345172

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Finance and Insurance: Low
    Finance and Insurance
  2. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  3. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  4. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  5. Manufacturing: Low
    Manufacturing
  6. Accommodation & Food Services: Low
    Accommodation & Food Services
  7. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  8. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  9. Construction: Low
    Construction
  10. Educational Services: Low
    Educational Services
  11. Information: Low
    Information
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Vendors

Red Hat
Red Hat
Red Hat
Red Hat Build of Apache Camel 4.8 for Quarkus 3.15
  1. cpe:/a:redhat:camel_quarkus:3.15
Red Hat
Red Hat
Red Hat
Red Hat build of Quarkus 3.15.3.SP1
  1. cpe:/a:redhat:quarkus:3.15::el8
Red Hat
Red Hat
Red Hat
Red Hat build of Quarkus 3.8.6.SP3
  1. cpe:/a:redhat:quarkus:3.8::el8

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background