CVE-2025-1247
📋 TL;DR
CVE-2025-1247 is a concurrency vulnerability in Quarkus REST where request parameters can leak between concurrent requests when endpoints use field injection without proper CDI scoping. This allows attackers to potentially access or manipulate sensitive data from other users' requests. Organizations using vulnerable Quarkus REST configurations are affected.
💻 Affected Systems
- Quarkus REST
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could impersonate users, access sensitive information like authentication tokens or personal data, or manipulate business transactions by intercepting request parameters from other concurrent users.
Likely Case
Data leakage where attackers can view or modify request parameters from other users, potentially leading to unauthorized data access or session hijacking.
If Mitigated
With proper CDI scoping and request isolation, the vulnerability is prevented, maintaining normal application functionality without data leakage.
🎯 Exploit Status
Exploitation requires understanding of application endpoints and timing attacks to intercept concurrent requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories (RHSA-2025:1884, RHSA-2025:1885, RHSA-2025:2067) for patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-1247
Restart Required: No
Instructions:
1. Review Red Hat advisories for your specific Quarkus version. 2. Apply the recommended patch or update to a fixed version. 3. Verify endpoints use proper CDI scoping.
🔧 Temporary Workarounds
Implement Proper CDI Scoping
allEnsure all REST endpoints using field injection have proper CDI scope annotations (@RequestScoped, @ApplicationScoped, etc.) to prevent request parameter leakage.
Review and update endpoint annotations to include appropriate CDI scope
🧯 If You Can't Patch
- Implement request isolation mechanisms and review all endpoints for proper CDI scoping
- Monitor application logs for unusual concurrent request patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Review Quarkus REST endpoints for field injection usage without CDI scope annotations. Check application version against Red Hat advisories.Check Version:
Check Quarkus version in application properties or via application startup logsVerify Fix Applied:
Verify all endpoints have proper CDI scoping annotations and test with concurrent requests to ensure no parameter leakage occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual concurrent request patterns
- Requests with mismatched parameter values
- Errors related to request scope violations
Network Indicators:
- Multiple concurrent requests to same endpoint from same source
- Unusual parameter values in requests
SIEM Query:
Search for concurrent requests to same REST endpoint with parameter anomalies or scope violation errors