{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-1634", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-02-24T14:23:22.369Z", "datePublished": "2025-02-26T16:56:23.869Z", "dateUpdated": "2025-08-01T19:06:18.429Z"}, "containers": {"cna": {"title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "3.8.6", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.15.3", "versionType": "semver"}], "packageName": "quarkus-resteasy", "collectionURL": "https://github.com/quarkusio/quarkus", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "quarkus-resteasy", "cpes": ["cpe:/a:redhat:camel_quarkus:3.15"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.3.SP1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "quarkus-resteasy", "cpes": ["cpe:/a:redhat:quarkus:3.15::el8"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.8.6.SP3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "quarkus-resteasy", "cpes": ["cpe:/a:redhat:quarkus:3.8::el8"]}, {"vendor": "Red Hat", "product": "Streams for Apache Kafka 2.9.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:amq_streams:2.9::el9"]}, {"vendor": "Red Hat", "product": "Streams for Apache Kafka 3.0.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:amq_streams:3.0::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:12511", "name": "RHSA-2025:12511", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:1884", "name": "RHSA-2025:1884", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:1885", "name": "RHSA-2025:1885", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:2067", "name": "RHSA-2025:2067", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:9922", "name": "RHSA-2025:9922", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-1634", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319", "name": "RHBZ#2347319", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-02-24T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-02-24T14:17:31.237000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-24T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-08-01T19:06:18.429Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-26T17:22:33.342704Z", "id": "CVE-2025-1634", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-26T17:25:47.506Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1634", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-26T17:22:33.342704Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-26T17:25:42.771Z"}}], "cna": {"title": "Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "3.8.6", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.15.3", "versionType": "semver"}], "packageName": "quarkus-resteasy", "collectionURL": "https://github.com/quarkusio/quarkus", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:3.15"], "vendor": "Red Hat", "product": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "packageName": "quarkus-resteasy", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.15::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.3.SP1", "packageName": "quarkus-resteasy", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.8::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.8.6.SP3", "packageName": "quarkus-resteasy", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:amq_streams:2.9::el9"], "vendor": "Red Hat", "product": "Streams for Apache Kafka 2.9.1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:amq_streams:3.0::el9"], "vendor": "Red Hat", "product": "Streams for Apache Kafka 3.0.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-24T14:17:31.237000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-02-24T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-02-24T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:12511", "name": "RHSA-2025:12511", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:1884", "name": "RHSA-2025:1884", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:1885", "name": "RHSA-2025:1885", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:2067", "name": "RHSA-2025:2067", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:9922", "name": "RHSA-2025:9922", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-1634", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319", "name": "RHBZ#2347319", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-08-01T19:06:18.429Z"}, "x_redhatCweChain": "CWE-401: Missing Release of Memory after Effective Lifetime"}}, "cveMetadata": {"cveId": "CVE-2025-1634", "state": "PUBLISHED", "dateUpdated": "2025-08-01T19:06:18.429Z", "dateReserved": "2025-02-24T14:23:22.369Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-02-26T16:56:23.869Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."}, {"lang": "es", "value": "Se ha encontrado un error en la extensi\u00f3n quarkus-resteasy, que ocasiona p\u00e9rdidas de memoria cuando los clientes efect\u00faan peticiones con timeouts bajos. Si la petici\u00f3n de un cliente caduca, no se libera correctamente un buffer, lo que ocasiona un mayor uso de memoria y una eventual finalizaci\u00f3n de la aplicaci\u00f3n debido a un OutOfMemoryError."}], "id": "CVE-2025-1634", "lastModified": "2025-08-01T19:15:32.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-02-26T17:15:22.083", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:12511"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1884"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:1885"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:2067"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:9922"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-1634"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:2067", "cpe": "cpe:/a:redhat:camel_quarkus:3.15", "package": "quarkus-resteasy", "product_name": "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15", "release_date": "2025-03-03T00:00:00Z"}, {"advisory": "RHSA-2025:1885", "cpe": "cpe:/a:redhat:quarkus:3.15::el8", "package": "quarkus-resteasy", "product_name": "Red Hat build of Quarkus 3.15.3.SP1", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:1884", "cpe": "cpe:/a:redhat:quarkus:3.8::el8", "package": "quarkus-resteasy", "product_name": "Red Hat build of Quarkus 3.8.6.SP3", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2025:9922", "cpe": "cpe:/a:redhat:amq_streams:2.9::el9", "product_name": "Streams for Apache Kafka 2.9.1", "release_date": "2025-06-30T00:00:00Z"}], "bugzilla": {"description": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout", "id": "2347319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-401", "details": ["A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.", "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-1634", "public_date": "2025-02-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1634\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1634"], "statement": "This vulnerability is marked as and Important severity rather than Moderate because it allows an unauthenticated attacker to trigger a denial of service condition by repeatedly sending crafted HTTP requests with low timeouts. The issue leads to a memory leak that cannot be recovered without restarting the application, ultimately resulting in an OutOfMemoryError and complete service failure.\nIn a production environment, this vulnerability poses a significant risk to availability, especially for applications handling multiple concurrent requests. Since no mitigation exists, all applications using quarkus-resteasy are affected until patched. The ease of exploitation, lack of required privileges, and high impact on service uptime justify the high severity rating.", "threat_severity": "Important"}

{}