2345172 – (CVE-2025-1247) CVE-2025-1247 io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance

Bug 2345172 (CVE-2025-1247) - CVE-2025-1247 io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance

Summary: CVE-2025-1247 io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Paramete...

Keywords:
Status:	NEW
Alias:	CVE-2025-1247
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-02-12 09:38 UTC by OSIDB Bzimport
Modified:	2025-03-03 13:23 UTC (History)
CC List:	33 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:1884	None	None	None	2025-02-27 15:15:11 UTC
Red Hat Product Errata	RHSA-2025:1885	None	None	None	2025-02-27 13:16:24 UTC
Red Hat Product Errata	RHSA-2025:2067	None	None	None	2025-03-03 13:23:28 UTC

Description OSIDB Bzimport 2025-02-12 09:38:59 UTC

The vulnerability in Quarkus REST arises when REST endpoints are implemented without a CDI scope and utilize field injection for request parameters. In such cases, a single instance of the endpoint class is shared across multiple concurrent requests, leading to the potential exchange of request parameters between these requests. This means that data such as HTTP headers, URI templates, cookies, and form values from one request can inadvertently be accessed by another, posing significant security risks.Affected applications should ensure proper scoping with @RequestScoped or avoid field injection for request parameters. The issue is fixed in version 3.18.2.

Comment 4 errata-xmlrpc 2025-02-27 13:16:21 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.15.3.SP1

Via RHSA-2025:1885 https://access.redhat.com/errata/RHSA-2025:1885

Comment 5 errata-xmlrpc 2025-02-27 15:15:09 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.8.6.SP3

Via RHSA-2025:1884 https://access.redhat.com/errata/RHSA-2025:1884

Comment 6 errata-xmlrpc 2025-03-03 13:23:26 UTC

This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Via RHSA-2025:2067 https://access.redhat.com/errata/RHSA-2025:2067

Note You need to log in before you can comment on or make changes to this bug.

adamevin
anstephe
avibelli
bgeorges
caswilli
chazlett
clement.escoffier
cmah
dandread
dkreling
fmongiar
gsmet
janstey
jmartisk
jnethert
jsamir
kaycoth
lthon
manderse
marcel
mosmerov
olubyans
pesilva
pgallagh
pjindal
probinso
rruss
rsvoboda
sausingh
sbiarozk
sthirugn
tqvarnst
vkrizan