CVE-2025-1634
Published: 26 February 2025
Description
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
Security Summary
CVE-2025-1634 is a memory leak vulnerability in the quarkus-resteasy extension. The flaw causes buffers to not be released correctly when client requests with low timeouts time out, resulting in progressively increased memory usage and eventual application crashes due to OutOfMemoryError. It is classified under CWE-401 (Memory Leak) and affects Quarkus applications utilizing the resteasy extension.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects. Remote attackers require only network access and can exploit it with low complexity, no privileges, and no user interaction by repeatedly sending requests with short timeouts, leading to denial-of-service through memory exhaustion.
Red Hat advisories provide mitigation via patches in multiple errata: RHSA-2025:12511, RHSA-2025:1884, RHSA-2025:1885, RHSA-2025:2067, and RHSA-2025:23417. Affected systems should be updated to the fixed versions specified in these security bulletins to prevent exploitation.
Details
- CWE(s)