CVE-2025-1247 - Vulnerability Details

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Camel Quarkus Quarkus

No data.

Package	CPE	Advisory	Released Date
Red Hat Build of Apache Camel 4.8 for Quarkus 3.15
io.quarkus/quarkus-rest	cpe:/a:redhat:camel_quarkus:3.15	RHSA-2025:2067	2025-03-03T00:00:00Z
Red Hat build of Quarkus 3.15.3.SP1
io.quarkus/quarkus-rest	cpe:/a:redhat:quarkus:3.15::el8	RHSA-2025:1885	2025-02-27T00:00:00Z
Red Hat build of Quarkus 3.8.6.SP3
io.quarkus/quarkus-rest	cpe:/a:redhat:quarkus:3.8::el8	RHSA-2025:1884	2025-02-27T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:1884
https://access.redhat.com/errata/RHSA-2025:1885
https://access.redhat.com/errata/RHSA-2025:2067
https://access.redhat.com/security/cve/CVE-2025-1247
https://bugzilla.redhat.com/show_bug.cgi?id=2345172
https://nvd.nist.gov/vuln/detail/CVE-2025-1247
https://www.cve.org/CVERecord?id=CVE-2025-1247

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00031}`	epss `{'score': 0.00034}`

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00037}`	epss `{'score': 0.00031}`

Mon, 03 Mar 2025 13:30:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:camel_quarkus:3~~	cpe:/a:redhat:camel_quarkus:3.15
References		https://access.redhat.com/errata/RHSA-2025:2067

Thu, 27 Feb 2025 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:quarkus:3.8::el8
References		https://access.redhat.com/errata/RHSA-2025:1884

Thu, 27 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:quarkus:3~~	cpe:/a:redhat:quarkus:3.15::el8
References		https://access.redhat.com/errata/RHSA-2025:1885

Thu, 13 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 13:30:00 +0000

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
Title	io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance	Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance
First Time appeared		Redhat Redhat camel Quarkus Redhat quarkus
CPEs		cpe:/a:redhat:camel_quarkus:3 cpe:/a:redhat:quarkus:3
Vendors & Products		Redhat Redhat camel Quarkus Redhat quarkus
References		https://access.redhat.com/security/cve/CVE-2025-1247 https://bugzilla.redhat.com/show_bug.cgi?id=2345172

Wed, 12 Feb 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		io.quarkus:quarkus-rest: Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance
Weaknesses		CWE-488
References		https://nvd.nist.gov/vuln/detail/CVE-2025-1247 https://www.cve.org/CVERecord?id=CVE-2025-1247
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-02-13T13:26:26.992Z

Updated: 2025-08-27T13:34:39.050Z

Reserved: 2025-02-12T09:43:11.716Z

Link: CVE-2025-1247

Vulnrichment

Updated: 2025-02-13T14:11:35.346Z

NVD

Status : Awaiting Analysis

Published: 2025-02-13T14:16:18.400

Modified: 2025-03-03T14:15:34.120

Link: CVE-2025-1247

Redhat

Severity : Important

Publid Date: 2025-02-12T00:00:00Z

Links: CVE-2025-1247 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object