CVE-2025-1247
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Description
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
Analysis
Quarkus REST endpoints using field injection without CDI scope annotation leak request parameters across concurrent HTTP requests, enabling authenticated attackers to manipulate data, impersonate users, or access sensitive information belonging to other concurrent sessions. Red Hat has confirmed the vulnerability (CVE-2025-1247) with a CVSS score of 8.3, affecting Quarkus-based applications. The EPSS score of 0.18% (40th percentile) indicates relatively low predicted exploitation probability, and no public exploit identified at time of analysis.
Technical Context
This vulnerability stems from CWE-488 (Exposure of Data Element to Wrong Session), a root cause class involving improper isolation of data between concurrent operations. Quarkus REST, Red Hat's reactive REST framework built on JAX-RS, allows developers to inject request-scoped data into endpoint resources. When developers use field injection without applying proper CDI (Contexts and Dependency Injection) scope annotations (such as @RequestScoped), the framework fails to properly isolate request parameters between concurrent HTTP requests. This creates a race condition where request data from one user's HTTP transaction can leak into another concurrent user's request context, breaking fundamental session isolation guarantees. The issue is specific to applications using Quarkus REST (formerly RESTEasy Reactive) with improper injection patterns, not standard CDI-scoped beans.
Affected Products
Red Hat Quarkus REST (formerly RESTEasy Reactive) is affected when applications use field injection patterns without proper CDI scope annotations. Red Hat has issued multiple security advisories (RHSA-2025:1884, RHSA-2025:1885, RHSA-2025:2067) confirming impact across Red Hat's Quarkus-based product ecosystem. The vulnerability is tracked in the upstream Quarkus project at GitHub issue #45789 (https://github.com/quarkusio/quarkus/issues/45789). Red Hat Bugzilla entry 2345172 (https://bugzilla.redhat.com/show_bug.cgi?id=2345172) provides additional tracking information. Specific affected product versions are detailed in the Red Hat security advisories at https://access.redhat.com/security/cve/CVE-2025-1247. Applications using Quarkus REST endpoints with field injection and missing CDI scope annotations are vulnerable regardless of Quarkus version until patched releases are applied.
Remediation
Apply vendor-released patches detailed in Red Hat security advisories RHSA-2025:1884, RHSA-2025:1885, and RHSA-2025:2067 available at https://access.redhat.com/errata/. Specific patched Quarkus versions are documented in these advisories and should be deployed immediately for affected Red Hat Quarkus distributions. For upstream Quarkus users, monitor GitHub issue #45789 (https://github.com/quarkusio/quarkus/issues/45789) for fix commits and integrate patched releases when available. As an immediate mitigation for applications that cannot be patched quickly, audit all REST endpoint classes for field injection patterns and refactor to use proper CDI scope annotations (add @RequestScoped, @ApplicationScoped, or appropriate scope to all resource classes using injection). Review Quarkus REST best practices documentation to ensure all endpoints follow recommended dependency injection patterns with explicit CDI scopes. Implement comprehensive integration testing with concurrent requests to validate session isolation after remediation.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today