CVE-2025-1634 - Vulnerability Details

- Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout

Description

A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.

Published: 2025-02-26

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The quarkus-resteasy extension contains a memory management flaw that leads to a memory leak when the client issues requests with extremely short timeouts. When a request times out, an internal buffer is not released properly, causing the JVM to accumulate unused objects until an OutOfMemoryError crashes the application. This flaw manifests as a denial‑of‑service condition, with a CVSS score of 7.5 and a weakness classified as CWE 401.

Affected Systems

Affected systems include Red Hat's build of Apache Camel 4.8 for Quarkus 3.15, the Red Hat build of Quarkus 3.15.3.SP1, the Red Hat build of Quarkus 3.8.6.SP3, and Red Hat Streams for Apache Kafka (AMQ Streams) 2.9.1, 3.0.0, and 3.1.0. All shipped versions of the quarkus‑resteasy component in these products, as listed in the corresponding RHSA errata, are impacted.

Risk and Exploitability

The CVSS score indicates a high severity, but the EPSS score (< 1%) suggests a low likelihood of exploitation currently, and the flaw is not cataloged in CISA’s KEV list. Attackers who can repeatedly send client requests with short timeouts against the vulnerable application can trigger the memory leak, leading to uncontrolled memory growth and eventual crash. Because no temporary workaround is available, the risk remains until the vendor releases a patch.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

unaffected

Version	Status	Constraints
`0`	affected	< 3.8.6
`0`	affected	< 3.15.3

Red Hat Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 unaffected —

Red Hat Red Hat build of Quarkus 3.15.3.SP1 unaffected —

Red Hat Red Hat build of Quarkus 3.8.6.SP3 unaffected —

Red Hat Streams for Apache Kafka 2.9.1 unaffected —

Red Hat Streams for Apache Kafka 3.0.0 unaffected —

Red Hat Streams for Apache Kafka 3.1.0 unaffected —

Red Hat Red Hat build of Quarkus affected —

No data.

Package	CPE	Advisory	Released Date
Red Hat Build of Apache Camel 4.8 for Quarkus 3.15
quarkus-resteasy	cpe:/a:redhat:camel_quarkus:3.15	RHSA-2025:2067	2025-03-03T00:00:00Z
Red Hat build of Quarkus 3.15.3.SP1
quarkus-resteasy	cpe:/a:redhat:quarkus:3.15::el8	RHSA-2025:1885	2025-02-27T00:00:00Z
Red Hat build of Quarkus 3.8.6.SP3
quarkus-resteasy	cpe:/a:redhat:quarkus:3.8::el8	RHSA-2025:1884	2025-02-27T00:00:00Z
Streams for Apache Kafka 2.9.1
	cpe:/a:redhat:amq_streams:2.9::el9	RHSA-2025:9922	2025-06-30T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

Apply the Red Hat errata RHSA-2025:12511, RHSA-2025:1884, RHSA-2025:1885, RHSA-2025:2067, RHSA-2025:23417 and RHSA-2025:9922 that contain the quarkus‑resteasy patch.
Upgrade the quarkus‑resteasy component to a release that incorporates the RHSA fix and rebuild your application.
Add runtime monitoring of JVM memory usage and configure automated restarts or alerts when the application approaches OOM thresholds to mitigate downtime.

Generated by OpenCVE AI on April 22, 2026 at 11:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-5294	A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
Github GHSA	GHSA-4fwr-mh5q-hchh	io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00475.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:12511
https://access.redhat.com/errata/RHSA-2025:1884
https://access.redhat.com/errata/RHSA-2025:1885
https://access.redhat.com/errata/RHSA-2025:2067
https://access.redhat.com/errata/RHSA-2025:23417
https://access.redhat.com/errata/RHSA-2025:9922
https://access.redhat.com/security/cve/CVE-2025-1634
https://bugzilla.redhat.com/show_bug.cgi?id=2347319
https://github.com/quarkusio/quarkus/issues/46412
https://github.com/quarkusio/quarkus/pull/46419
https://nvd.nist.gov/vuln/detail/CVE-2025-1634
https://www.cve.org/CVERecord?id=CVE-2025-1634

History

Wed, 06 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:quarkus:3

Mon, 20 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/quarkusio/quarkus/issues/46412 https://github.com/quarkusio/quarkus/pull/46419

Wed, 17 Dec 2025 14:45:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:amq_streams:3~~	cpe:/a:redhat:amq_streams:3.1::el9
References		https://access.redhat.com/errata/RHSA-2025:23417

Thu, 11 Dec 2025 07:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:amq_streams:3

Fri, 01 Aug 2025 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:amq_streams:3.0::el9
References		https://access.redhat.com/errata/RHSA-2025:12511

Mon, 30 Jun 2025 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat amq Streams
CPEs		cpe:/a:redhat:amq_streams:2.9::el9
Vendors & Products		Redhat amq Streams
References		https://access.redhat.com/errata/RHSA-2025:9922

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 03 Mar 2025 13:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:camel_quarkus:3~~	cpe:/a:redhat:camel_quarkus:3.15
References		https://access.redhat.com/errata/RHSA-2025:2067

Thu, 27 Feb 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:quarkus:3.8::el8
References		https://access.redhat.com/errata/RHSA-2025:1884

Thu, 27 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:quarkus:3~~	cpe:/a:redhat:quarkus:3.15::el8
References		https://access.redhat.com/errata/RHSA-2025:1885

Wed, 26 Feb 2025 17:15:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
Title	io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout	Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout
First Time appeared		Redhat Redhat camel Quarkus Redhat quarkus
CPEs		cpe:/a:redhat:camel_quarkus:3 cpe:/a:redhat:quarkus:3
Vendors & Products		Redhat Redhat camel Quarkus Redhat quarkus
References		https://access.redhat.com/security/cve/CVE-2025-1634 https://bugzilla.redhat.com/show_bug.cgi?id=2347319

Tue, 25 Feb 2025 01:45:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout
Weaknesses		CWE-401
References		https://nvd.nist.gov/vuln/detail/CVE-2025-1634 https://www.cve.org/CVERecord?id=CVE-2025-1634
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Important`

Subscriptions

Redhat Amq Streams Camel Quarkus Quarkus

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-02-26T16:56:23.869Z

Updated: 2026-05-06T16:47:36.632Z

Reserved: 2025-02-24T14:23:22.369Z

Link: CVE-2025-1634

Vulnrichment

Updated: 2025-02-26T17:25:42.771Z

NVD

Status : Deferred

Published: 2025-02-26T17:15:22.083

Modified: 2026-04-20T19:16:08.277

Link: CVE-2025-1634

Redhat

Severity : Important

Publid Date: 2025-02-24T00:00:00Z

Links: CVE-2025-1634 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses

CWE-401

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object