Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66560

CVE-2025-66560: Quarkus REST HTTP Layer DoS Vulnerability

CVE-2025-66560 is a denial of service vulnerability in Quarkus REST that causes worker thread exhaustion when clients drop connections during response transmission. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2025-66560 Overview

CVE-2025-66560 is a denial of service vulnerability in Quarkus, a Cloud Native Java framework for building container-first applications. The flaw exists in the HTTP layer of Quarkus REST and affects how the framework handles response transmission. When a client connection drops while the server waits for previously written response chunks to flush, the associated worker thread is never released. Repeated occurrences exhaust the worker thread pool and render the application unresponsive. The vulnerability is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling].

Critical Impact

Remote unauthenticated attackers can exhaust Quarkus worker threads by repeatedly dropping client connections during response transmission, leading to application unavailability.

Affected Products

  • Quarkus versions prior to 3.20.5 (3.20.x branch)
  • Quarkus versions prior to 3.27.2 (3.27.x branch)
  • Quarkus versions prior to 3.31.0 (3.31.x branch)

Discovery Timeline

  • 2026-01-07 - CVE-2025-66560 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2025-66560

Vulnerability Analysis

The vulnerability resides in the Quarkus REST HTTP response handling pipeline. When the framework writes a response, it waits for previously written chunks to be fully transmitted before continuing. This synchronous wait pattern does not account for client connections that terminate mid-transmission. If the client disconnects during the wait, the worker thread servicing the request becomes permanently blocked rather than being returned to the thread pool. An attacker can exploit this behavior by issuing requests against endpoints that return chunked or sizable responses and then abruptly closing the TCP connection before the response completes. Each abandoned connection consumes one worker thread indefinitely. Once the worker pool is saturated, the server cannot process new requests, resulting in complete service unavailability.

Root Cause

The root cause is improper resource release in the response writing loop. The framework lacks a timeout or cancellation signal to detect client disconnection while it awaits chunk flush acknowledgment. This is a classic resource exhaustion pattern classified under [CWE-770], where allocated worker threads are not bounded by a timeout or reclaimed on client failure.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An unauthenticated remote attacker sends HTTP requests to any Quarkus REST endpoint that produces a response large enough to trigger chunked writes. The attacker then closes the connection before the response is fully consumed. Repeating this pattern across multiple concurrent connections drains the worker thread pool. The vulnerability mechanism does not require crafted payloads or protocol abuse, only standard HTTP requests followed by premature connection termination.

No public proof-of-concept code has been released. Refer to the GitHub Security Advisory GHSA-5rfx-cp42-p624 for vendor-supplied technical details.

Detection Methods for CVE-2025-66560

Indicators of Compromise

  • Worker thread pool saturation in Quarkus application metrics, with threads stuck in a waiting or blocked state during HTTP response writes.
  • Increasing HTTP 503 Service Unavailable responses or request timeouts as the thread pool fills.
  • Application logs showing requests that never complete and threads that do not return to the pool after client disconnect events.

Detection Strategies

  • Monitor JVM thread dumps for accumulating worker threads stuck in response write or chunk flush operations.
  • Track worker thread pool utilization metrics over time and alert on sustained saturation above expected baselines.
  • Correlate spikes in TCP connection resets or premature client disconnects with worker thread retention growth.

Monitoring Recommendations

  • Implement a Quarkus health check that reports worker thread pool saturation and abnormal thread retention, as recommended by the vendor advisory.
  • Enable HTTP access logging with connection state details to identify clients that disconnect before response completion.
  • Configure alerts on Micrometer or MicroProfile Metrics exposed by Quarkus for worker_pool_active_threads and request duration anomalies.

How to Mitigate CVE-2025-66560

Immediate Actions Required

  • Upgrade Quarkus to a patched release: 3.20.5, 3.27.2, or 3.31.0 depending on the branch in use.
  • Inventory all Quarkus services across development, staging, and production environments to identify exposed versions.
  • Restrict inbound HTTP access to Quarkus applications behind a reverse proxy or load balancer that enforces connection and request timeouts.

Patch Information

The vulnerability is fixed in Quarkus versions 3.31.0, 3.27.2, and 3.20.5. Patch details and remediation guidance are published in the Quarkus GitHub Security Advisory. Operators should select the patched release that aligns with their current major or LTS branch.

Workarounds

  • Deploy a health check that monitors worker thread pool saturation and triggers pod or instance restarts when abnormal thread retention is detected.
  • Place Quarkus services behind a reverse proxy that buffers responses and enforces aggressive client read timeouts to limit exposure to dropped connections.
  • Rate-limit or filter clients that exhibit high rates of premature connection closures during response transmission.
bash
# Update Quarkus dependency version in Maven pom.xml
mvn versions:set-property -Dproperty=quarkus.platform.version -DnewVersion=3.31.0
mvn clean package

# Or for Gradle projects, update gradle.properties
# quarkusPlatformVersion=3.31.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.