{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1247", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-02-12T09:43:11.716Z", "datePublished": "2025-02-13T13:26:26.992Z", "dateUpdated": "2025-03-15T09:18:44.686Z"}, "containers": {"cna": {"title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "3.18.2", "versionType": "semver"}], "packageName": "quarkus-rest", "collectionURL": "https://github.com/quarkusio/quarkus/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "io.quarkus/quarkus-rest", "cpes": ["cpe:/a:redhat:camel_quarkus:3.15"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.3.SP1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "io.quarkus/quarkus-rest", "cpes": ["cpe:/a:redhat:quarkus:3.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.8.6.SP3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "io.quarkus/quarkus-rest", "cpes": ["cpe:/a:redhat:quarkus:3.8::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1884", "name": "RHSA-2025:1884", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:1885", "name": "RHSA-2025:1885", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:2067", "name": "RHSA-2025:2067", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-1247", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172", "name": "RHBZ#2345172", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-02-12T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-488", "description": "Exposure of Data Element to Wrong Session", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-02-12T09:30:25.106000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-12T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-03-15T09:18:44.686Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-13T14:11:32.786242Z", "id": "CVE-2025-1247", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:11:38.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-13T14:11:32.786242Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-13T14:11:35.346Z"}}], "cna": {"title": "Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "3.18.2", "versionType": "semver"}], "packageName": "quarkus-rest", "collectionURL": "https://github.com/quarkusio/quarkus/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:3.15"], "vendor": "Red Hat", "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "packageName": "io.quarkus/quarkus-rest", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.15::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.3.SP1", "packageName": "io.quarkus/quarkus-rest", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.8::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.8.6.SP3", "packageName": "io.quarkus/quarkus-rest", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-12T09:30:25.106000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-12T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-02-12T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:1884", "name": "RHSA-2025:1884", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:1885", "name": "RHSA-2025:1885", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:2067", "name": "RHSA-2025:2067", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-1247", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172", "name": "RHBZ#2345172", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-488", "description": "Exposure of Data Element to Wrong Session"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-03-15T09:18:44.686Z"}, "x_redhatCweChain": "CWE-488: Exposure of Data Element to Wrong Session"}}, "cveMetadata": {"cveId": "CVE-2025-1247", "state": "PUBLISHED", "dateUpdated": "2025-03-15T09:18:44.686Z", "dateReserved": "2025-02-12T09:43:11.716Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-02-13T13:26:26.992Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Quarkus REST que permite que los par\u00e1metros de solicitud se filtren entre solicitudes concurrentes si los endpoints usan la inyecci\u00f3n de campos sin un alcance CDI. Esta vulnerabilidad permite a los atacantes manipular los datos de la solicitud, hacerse pasar por usuarios o acceder a informaci\u00f3n confidencial."}], "id": "CVE-2025-1247", "lastModified": "2025-03-03T14:15:34.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-02-13T14:16:18.400", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1884"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1885"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:2067"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-1247"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-488"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:2067", "cpe": "cpe:/a:redhat:camel_quarkus:3.15", "package": "io.quarkus/quarkus-rest", "product_name": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "release_date": "2025-03-03T00:00:00Z"}, {"advisory": "RHSA-2025:1885", "cpe": "cpe:/a:redhat:quarkus:3.15::el8", "package": "io.quarkus/quarkus-rest", "product_name": "Red Hat build of Quarkus 3.15.3.SP1", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1884", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "io.quarkus/quarkus-rest", "product_name": "Red Hat build of Quarkus 3.8.6.SP3", "release_date": "2025-02-27T00:00:00Z"}], "bugzilla": {"description": "io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance", "id": "2345172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345172"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-488", "details": ["A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.", "A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-1247", "public_date": "2025-02-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1247\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1247"], "statement": "This vulnerability marked as important severity rather than moderate because it leads to cross-request data leakage, which can compromise the confidentiality and integrity of user interactions. In a concurrent environment, multiple requests being served by a single, shared instance of an endpoint class means that sensitive request data\u2014such as authentication headers, cookies, or form parameters\u2014can be inadvertently exposed to other users. This violates fundamental HTTP request isolation principles, potentially leading to session hijacking, unauthorized access, or privilege escalation.", "threat_severity": "Important"}