CVE-2024-12397 Overview
CVE-2024-12397 is a cookie parsing flaw in Quarkus-HTTP that mishandles value-delimiting characters in incoming HTTP requests. An attacker can craft a cookie value to exfiltrate HttpOnly cookie contents or inject spoofed cookie values into the parsed request. The flaw is classified under CWE-444, Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling). Successful exploitation impacts confidentiality and integrity of session data handled by affected Quarkus applications. The issue is network-reachable, requires no authentication, and no user interaction.
Critical Impact
Attackers can exfiltrate HttpOnly session cookies or spoof additional cookie values, leading to unauthorized data access and session integrity compromise.
Affected Products
- Quarkus-HTTP (upstream component)
- Red Hat build of Quarkus (see RHSA-2025:0900)
- Red Hat middleware products bundling Quarkus-HTTP (see RHSA-2025:3018 and RHSA-2025:8761)
Discovery Timeline
- 2024-12-12 - CVE-2024-12397 published to NVD
- 2025-01-30 - Red Hat publishes RHSA-2025:0900
- 2025-03-19 - Red Hat publishes RHSA-2025:3018
- 2025-06-09 - Red Hat publishes RHSA-2025:8761
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-12397
Vulnerability Analysis
Quarkus-HTTP incorrectly parses cookie headers that contain certain value-delimiting characters. The parser does not consistently identify cookie name and value boundaries when an attacker injects characters such as double quotes, commas, or equals signs inside a crafted Cookie header. This inconsistency lets the attacker influence how downstream application logic reads cookie state. The result is either disclosure of cookies marked HttpOnly to attacker-controlled cookie names or insertion of arbitrary cookie name/value pairs into the parsed map.
The issue maps to CWE-444, where one HTTP component interprets a request differently than another. Quarkus applications that rely on cookie integrity for session handling, CSRF tokens, or authorization state are directly impacted.
Root Cause
The root cause lies in the cookie header tokenizer inside Quarkus-HTTP. The parser does not strictly follow RFC 6265 rules for handling quoted values and special delimiters. When a single Cookie header contains a value with an embedded delimiter, the parser splits the string in a way that exposes adjacent cookie data or accepts attacker-supplied substitutes for it.
Attack Vector
The attacker sends an HTTP request with a crafted Cookie header to a Quarkus-HTTP backed endpoint. No authentication or user interaction is required. The crafted header coerces the parser into producing a cookie map that either leaks the value of a sibling HttpOnly cookie or adds attacker-chosen key/value pairs. No public proof-of-concept exploit is currently listed in the referenced advisories. See the Red Hat CVE-2024-12397 Report and Red Hat Bugzilla #2331298 for vendor analysis.
Detection Methods for CVE-2024-12397
Indicators of Compromise
- Inbound Cookie headers containing unescaped double quotes, commas, or unexpected = characters inside a single cookie value.
- Application logs showing cookie names that were never set by the server appearing in session state.
- Repeated requests from the same client probing different cookie payload variants against authentication endpoints.
Detection Strategies
- Inspect HTTP access logs and web application firewall telemetry for malformed Cookie headers, particularly values containing quote characters or commas.
- Compare cookies emitted by the server against cookies the application observes in subsequent requests to detect spoofed entries.
- Hunt for anomalous session identifier reuse across different source IPs that may indicate HttpOnly cookie exfiltration.
Monitoring Recommendations
- Enable verbose request logging on Quarkus endpoints handling authentication or session-bound APIs.
- Forward web server and reverse proxy logs to a centralized analytics platform and alert on cookie header anomalies.
- Track Red Hat advisories RHSA-2025:0900, RHSA-2025:3018, and RHSA-2025:8761 for product-specific fixed versions.
How to Mitigate CVE-2024-12397
Immediate Actions Required
- Inventory all Quarkus deployments and identify services that embed Quarkus-HTTP as the transport layer.
- Apply vendor-supplied updates listed in the Red Hat advisories to affected middleware and runtime products.
- Rotate session identifiers and any sensitive cookie values issued before patching to invalidate potentially exfiltrated data.
Patch Information
Red Hat has published fixes through RHSA-2025:0900, RHSA-2025:3018, and RHSA-2025:8761. Operators of upstream Quarkus-HTTP should upgrade to the fixed component versions referenced in the Red Hat CVE-2024-12397 Report. Verify each deployed product against its corresponding advisory before declaring remediation complete.
Workarounds
- Deploy a reverse proxy or web application firewall rule that rejects Cookie headers containing unescaped quote or comma characters.
- Reduce the blast radius by setting short session lifetimes and binding session tokens to client attributes such as source IP or TLS fingerprint.
- Audit application code to avoid trusting cookie values for security-sensitive decisions without server-side validation.
# Example NGINX rule to drop requests with suspicious Cookie header characters
map $http_cookie $bad_cookie {
default 0;
"~[\"]" 1;
}
server {
if ($bad_cookie) {
return 400;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
