CVE-2025-1634
📋 TL;DR
A memory leak vulnerability in the quarkus-resteasy extension occurs when client requests timeout, causing buffers to not be properly released. This leads to increased memory consumption and potential application crashes via OutOfMemoryError. Applications using affected versions of Quarkus with the resteasy extension are vulnerable.
💻 Affected Systems
- Quarkus with quarkus-resteasy extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Application crashes due to OutOfMemoryError, causing complete service disruption and potential data loss or corruption.
Likely Case
Gradual memory consumption increase leading to degraded performance and eventual application restart requirements.
If Mitigated
Memory usage remains stable with proper timeout handling and monitoring in place.
🎯 Exploit Status
Exploitation requires ability to trigger client request timeouts, which could be achieved through network manipulation or crafted requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:12511
Restart Required: Yes
Instructions:
1. Review Red Hat advisories for your specific Quarkus version. 2. Update to patched version. 3. Restart application. 4. Verify fix with monitoring.
🔧 Temporary Workarounds
Increase client timeout values
allSet higher timeout values to reduce likelihood of timeout-triggered memory leaks
quarkus.rest-client.timeout=5000
quarkus.rest-client.read-timeout=5000
Disable resteasy client features if unused
allRemove or disable quarkus-resteasy extension if not required
🧯 If You Can't Patch
- Implement aggressive memory monitoring and alerting for OutOfMemory conditions
- Configure automatic application restart when memory thresholds are exceeded
🔍 How to Verify
Check if Vulnerable:
Check Quarkus version and extension list for quarkus-resteasy usageCheck Version:
java -jar your-app.jar --versionVerify Fix Applied:
Monitor memory usage during client request timeouts after patch application📡 Detection & Monitoring
Log Indicators:
- OutOfMemoryError in logs
- Increasing memory usage patterns
- Frequent garbage collection
Network Indicators:
- Increased timeout responses from application
SIEM Query:
source="application.logs" AND "OutOfMemoryError" OR "java.lang.OutOfMemoryError"🔗 References
- https://access.redhat.com/errata/RHSA-2025:12511
- https://access.redhat.com/errata/RHSA-2025:1884
- https://access.redhat.com/errata/RHSA-2025:1885
- https://access.redhat.com/errata/RHSA-2025:2067
- https://access.redhat.com/errata/RHSA-2025:23417
- https://access.redhat.com/errata/RHSA-2025:9922
- https://access.redhat.com/security/cve/CVE-2025-1634
- https://bugzilla.redhat.com/show_bug.cgi?id=2347319
