CVE-2024-12225 – This vulnerability in Quarkus's WebAuthn module... (How to Fix)

Q: What is the severity of CVE-2024-12225?

CVE-2024-12225 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Quarkus's WebAuthn module allows attackers to bypass authentication by accessing default REST endpoints that remain active even when custom endpoints are configured. Attackers can obtain login cookies for non-existent users or potentially log in as existing users by knowing their usernames. This affects Quarkus applications using the quarkus-security-webauthn module with custom REST endpoints.

📋 TL;DR

This vulnerability in Quarkus's WebAuthn module allows attackers to bypass authentication by accessing default REST endpoints that remain active even when custom endpoints are configured. Attackers can obtain login cookies for non-existent users or potentially log in as existing users by knowing their usernames. This affects Quarkus applications using the quarkus-security-webauthn module with custom REST endpoints.

💻 Affected Systems

Products:

Quarkus

Versions: All versions using quarkus-security-webauthn module before fix

Operating Systems: All platforms running Quarkus

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using quarkus-security-webauthn module with custom REST endpoints configured. The default endpoints remain accessible alongside custom ones.

📦 What is this software?

Quarkus by Quarkus

View all CVEs affecting Quarkus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete authentication bypass allowing attackers to log in as any existing user, potentially gaining administrative privileges and full control over the application.

🟠

Likely Case

Attackers can create unauthorized accounts or log in as existing users they can identify, leading to data theft, privilege escalation, or unauthorized actions.

🟢

If Mitigated

With proper endpoint configuration and access controls, the vulnerability is prevented, maintaining normal authentication flow.

🌐 Internet-Facing: HIGH - WebAuthn endpoints are typically internet-facing for user authentication, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to default endpoints. No authentication needed. Attackers need to know or guess usernames for existing user login.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Quarkus security advisory for specific fixed versions

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-12225

Restart Required: Yes

Instructions:

1. Update Quarkus to patched version. 2. Update quarkus-security-webauthn dependency. 3. Restart application. 4. Verify default endpoints are properly disabled when custom endpoints are configured.

🔧 Temporary Workarounds

Disable default WebAuthn endpoints

all

Manually disable the default REST endpoints in application configuration when using custom endpoints

quarkus.webauthn.default-endpoints.enabled=false

Network access control

all

Restrict access to WebAuthn endpoints using firewall rules or network segmentation

🧯 If You Can't Patch

Implement application-level authentication checks before processing WebAuthn requests
Use web application firewall (WAF) rules to block requests to default WebAuthn endpoints

🔍 How to Verify

Check if Vulnerable:

Check if application uses quarkus-security-webauthn module with custom REST endpoints configured while default endpoints remain accessible. Test by accessing /webauthn/register and /webauthn/login endpoints.

Check Version:

Check Quarkus version in pom.xml or build.gradle, or run: java -jar your-app.jar --version

Verify Fix Applied:

After patching, verify that default endpoints return 404 or are properly disabled when custom endpoints are configured. Test authentication flow works correctly only through intended endpoints.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from same IP
Successful logins from unexpected IPs or user agents
Requests to /webauthn/register or /webauthn/login endpoints

Network Indicators:

HTTP POST requests to default WebAuthn endpoints
Unusual authentication traffic patterns

SIEM Query:

source="web_logs" AND (uri_path="/webauthn/register" OR uri_path="/webauthn/login") AND response_status=200

📊 Metadata

CVE ID: CVE-2024-12225

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-288

EPSS Score: 0.06% exploit probability (19.6th percentile)

Published: May 6, 2025

Last Updated: July 31, 2025

🔗 References

https://access.redhat.com/security/cve/CVE-2024-12225 Mitigation,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2330484 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12225, you might also want to check these: