CVE-2025-49574

Quarkus potential data leak when duplicating a duplicated context

Description

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0.

Category

6.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.02%
Affected: quarkusio quarkus
Published at:
Updated at:

References

Link Tags
https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4
https://github.com/quarkusio/quarkus/issues/48227
https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1

Frequently Asked Questions

What is the severity of CVE-2025-49574?
CVE-2025-49574 has been scored as a medium severity vulnerability.
How to fix CVE-2025-49574?
To fix CVE-2025-49574, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-49574 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-49574 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-49574?
CVE-2025-49574 affects quarkusio quarkus.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.