CVE-2025-1247
Published: 13 February 2025
Description
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
Security Summary
CVE-2025-1247, published on 2025-02-13, is a vulnerability in the Quarkus REST component that enables request parameters to leak between concurrent requests when endpoints employ field injection without a CDI scope. This flaw affects Quarkus applications using such configurations. It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-488.
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation permits manipulation of request data, user impersonation, or access to sensitive information, resulting in high confidentiality and integrity impacts alongside low availability impact.
Red Hat advisories, including errata RHSA-2025:1884, RHSA-2025:1885, and RHSA-2025:2067, address the issue with patches and updates. Further details on the vulnerability and mitigations are provided on the Red Hat security page for CVE-2025-1247 and Bugzilla entry 2345172.
Details
- CWE(s)