CVE-2025-66560
📋 TL;DR
A thread exhaustion vulnerability in Quarkus REST HTTP layer causes worker threads to become permanently blocked when client connections drop during response transmission. This affects Quarkus applications using REST endpoints, potentially leading to denial of service. All Quarkus deployments with vulnerable versions are affected.
💻 Affected Systems
- Quarkus
📦 What is this software?
Quarkus by Quarkus
Quarkus by Quarkus
Quarkus by Quarkus
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to exhaustion of all worker threads, making the service completely unresponsive to legitimate requests.
Likely Case
Degraded performance with increasing latency and reduced throughput as available worker threads decrease, eventually leading to partial service disruption.
If Mitigated
With proper monitoring and thread pool management, the impact is limited to temporary performance degradation that can be detected and addressed before complete failure.
🎯 Exploit Status
Exploitation requires repeatedly dropping client connections during response transmission, which can be automated with simple scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.31.0, 3.27.2, or 3.20.5
Vendor Advisory: https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624
Restart Required: Yes
Instructions:
1. Identify your Quarkus version. 2. Upgrade to 3.31.0, 3.27.2, or 3.20.5 based on your current version stream. 3. Update dependencies in pom.xml or build.gradle. 4. Rebuild and redeploy the application. 5. Restart all affected services.
🔧 Temporary Workarounds
Worker Thread Pool Monitoring
allImplement health checks that monitor worker thread pool saturation and thread retention to detect abnormal conditions early.
Implement custom health check endpoint that monitors ThreadPoolExecutor metrics and thread states
🧯 If You Can't Patch
- Implement aggressive connection timeout settings and connection keep-alive configurations to reduce the window for exploitation
- Deploy rate limiting and request throttling to limit the number of concurrent connections from single sources
🔍 How to Verify
Check if Vulnerable:
Check Quarkus version in application properties or via /q/health endpoint. Vulnerable if version is below 3.31.0, 3.27.2, or 3.20.5.Check Version:
Check application.properties for 'quarkus.version' or use: curl -s http://localhost:8080/q/health | grep versionVerify Fix Applied:
Confirm Quarkus version is 3.31.0, 3.27.2, or 3.20.5 or higher. Monitor thread pool metrics for abnormal thread retention.📡 Detection & Monitoring
Log Indicators:
- Increasing number of blocked threads in thread dumps
- Thread pool saturation warnings
- Unusually high response times for REST endpoints
Network Indicators:
- Multiple abrupt connection terminations from same source IPs
- Increased TCP RST packets to application port
SIEM Query:
source="application.logs" AND ("thread pool exhausted" OR "blocked thread" OR "worker thread" AND "stuck")