2418794 – (CVE-2025-66560) CVE-2025-66560 io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability

Bug 2418794 (CVE-2025-66560) - CVE-2025-66560 io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion Vulnerability

Summary: CVE-2025-66560 io.quarkus/quarkus-rest: Quarkus REST Worker Thread Exhaustion...

Keywords:
Status:	NEW
Alias:	CVE-2025-66560
Deadline:	2026-01-22
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-04 13:16 UTC by OSIDB Bzimport
Modified:	2026-02-18 08:27 UTC (History)
CC List:	54 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-04 13:16:57 UTC

The issue affects the HTTP layer of Quarkus REST. When writing a response, the framework waits for previously sent response chunks to be fully transmitted before continuing. If the client connection is dropped during this wait, the associated worker thread is never released and remains permanently blocked. Under repeated occurrences, this can exhaust the worker thread pool, resulting in severe performance degradation or complete application unavailability.

Note You need to log in before you can comment on or make changes to this bug.

aazores
adamevin
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
caswilli
ccranfor
chfoley
clement.escoffier
cmah
dandread
darran.lofthouse
dkreling
dosoudil
eaguilar
ebaron
gsmet
istudens
ivassile
iweiss
janstey
jmartisk
jolong
jpechane
jsamir
kaycoth
lthon
manderse
mosmerov
msvehla
nwallace
olubyans
pberan
pesilva
pgallagh
pjindal
pmackay
probinso
rguimara
rruss
rstancel
rsvoboda
sbiarozk
security-response-team
smaestri
sthirugn
swoodman
tom.jenkinson
tqvarnst
vkrizan