Bug 2374376 (CVE-2025-49574) - CVE-2025-49574 io.quarkus/quarkus-vertx: Quarkus potential data leak
Summary: CVE-2025-49574 io.quarkus/quarkus-vertx: Quarkus potential data leak
Keywords:
Status: NEW
Alias: CVE-2025-49574
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-23 20:01 UTC by OSIDB Bzimport
Modified: 2025-12-11 07:16 UTC (History)
86 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:12511 0 None None None 2025-08-01 17:43:27 UTC

Description OSIDB Bzimport 2025-06-23 20:01:20 UTC 
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0.
Comment 2 errata-xmlrpc 2025-08-01 17:43:21 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.0.0

Via RHSA-2025:12511 https://access.redhat.com/errata/RHSA-2025:12511
Note You need to log in before you can comment on or make changes to this bug.