CVE-2024-12225

Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass

Description

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.

Remediation

Workaround:

  • It is possible to mitigate this issue by disabling the default endpoints after creating a custom one. For example with the call for: import io.vertx.ext.web.Router; import jakarta.enterprise.event.Observes; public class Startup { public void init(@Observes Router router) { System.err.println("Securing WebAuthn default controller"); router.post("/q/webauthn/callback").order(0).handler(rc -> rc.fail(404)); } }

Category

9.1
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.04%
Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat build of Quarkus
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/security/cve/CVE-2024-12225 vendor advisory mitigation vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2330484 vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-12225?
CVE-2024-12225 has been scored as a critical severity vulnerability.
How to fix CVE-2024-12225?
As a workaround for remediating CVE-2024-12225: It is possible to mitigate this issue by disabling the default endpoints after creating a custom one. For example with the call for: import io.vertx.ext.web.Router; import jakarta.enterprise.event.Observes; public class Startup { public void init(@Observes Router router) { System.err.println("Securing WebAuthn default controller"); router.post("/q/webauthn/callback").order(0).handler(rc -> rc.fail(404)); } }
Is CVE-2024-12225 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-12225 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-12225?
CVE-2024-12225 affects Red Hat Red Hat build of Quarkus.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.