CVE-2025-66560

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:quarkus:quarkus::::::::
	cpe:2.3:a:quarkus:quarkus::::::::
	cpe:2.3:a:quarkus:quarkus::::::::

History

03 Feb 2026, 16:40

Type	Values Removed	Values Added
CPE		cpe:2.3:a:quarkus:quarkus::::::::
References	~~() https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624 -~~	() https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624 - Vendor Advisory
First Time		Quarkus quarkus Quarkus

Information

Published : 2026-01-07 18:15

Updated : 2026-02-03 16:40

NVD link : CVE-2025-66560

Mitre link : CVE-2025-66560

CVE.ORG link : CVE-2025-66560

JSON object : View

Products Affected

quarkus

quarkus

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-66560", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-01-07T18:15:52.023", "references": [{"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early."}], "lastModified": "2026-02-03T16:40:28.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "015CA670-5F52-45CF-B627-3267A1C646DB", "versionEndExcluding": "3.20.5"}, {"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3691AA3B-570C-4770-B8AE-E97B6A3CFF35", "versionEndExcluding": "3.27.2", "versionStartIncluding": "3.21.0"}, {"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32AFDCC2-2866-4586-AC70-97200C850B4B", "versionEndExcluding": "3.31.0", "versionStartIncluding": "3.30.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}