Bug 2347319 (CVE-2025-1634)

Summary: CVE-2025-1634 io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anstephe, avibelli, bgeorges, chfoley, clement.escoffier, dandread, dkreling, fmongiar, gsmet, janstey, jmartisk, jnethert, jsamir, lthon, manderse, mosmerov, olubyans, pesilva, pgallagh, pjindal, probinso, rguimara, rruss, rsvoboda, sausingh, sbiarozk, sthirugn, swoodman, tqvarnst, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-02-24 14:33:37 UTC 
This vulnerability affects all currently maintained versions of the quarkus-resteasy extension. Applications exposing REST endpoints using this extension are susceptible to attacks where an adversary can intentionally cause client timeouts, leading to memory exhaustion and application failure. The issue has been addressed in a recent fix, and users are advised to update their dependencies accordingly.
Comment 4 errata-xmlrpc 2025-02-27 13:16:22 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.15.3.SP1

Via RHSA-2025:1885 https://access.redhat.com/errata/RHSA-2025:1885
Comment 5 errata-xmlrpc 2025-02-27 15:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.8.6.SP3

Via RHSA-2025:1884 https://access.redhat.com/errata/RHSA-2025:1884
Comment 6 errata-xmlrpc 2025-03-03 13:23:28 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Via RHSA-2025:2067 https://access.redhat.com/errata/RHSA-2025:2067
Comment 7 errata-xmlrpc 2025-06-30 13:17:11 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.1

Via RHSA-2025:9922 https://access.redhat.com/errata/RHSA-2025:9922
Comment 8 errata-xmlrpc 2025-08-01 17:43:12 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.0

Via RHSA-2025:12511 https://access.redhat.com/errata/RHSA-2025:12511
Comment 9 errata-xmlrpc 2025-12-16 23:13:48 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.1.0

Via RHSA-2025:23417 https://access.redhat.com/errata/RHSA-2025:23417