CVE-2025-49574
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-12-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Quarkus arises from a change in Vert.x 4.5.12's handling of duplicated contexts. Normally, duplicating a duplicated context should create a fresh, empty context to keep transaction data isolated. However, the new behavior copies the content of the parent duplicated context into the new one, causing data from one transaction to leak into another. Since Quarkus relies heavily on Vert.x duplicated contexts to propagate context data such as request scope, security details, and metadata, this leads to potential data leakage when duplicating a duplicated context. This issue mainly affects certain rare cases in Quarkus like REST Client with OpenTelemetry and some messaging connectors. The vulnerability has been patched in Quarkus version 3.24.0. [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause sensitive data such as request scope information, security details, and metadata from one transaction to leak into another transaction. This can compromise the integrity and confidentiality of data processed by applications using Quarkus with Vert.x 4.5.12 or later. It may lead to incorrect or confusing logging and telemetry information, potentially exposing sensitive information to unauthorized parties. The attack complexity is high and requires adjacent attack vector with low privileges, but no user interaction is needed. The impact is high on confidentiality and integrity but does not affect availability. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of Quarkus in use, specifically if it is between 3.18.1 and before 3.24.0, as these versions are affected. Additionally, monitoring for incorrect or confusing logging and telemetry information related to context propagation may indicate the presence of the issue. There are no specific commands provided in the resources to detect the vulnerability directly on the network or system. However, reviewing application logs for anomalies in context data or verifying the use of Vert.x 4.5.12 or later with duplicated contexts in the application code can help identify the problem. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Quarkus to version 3.24.0 or later where the issue is patched. If upgrading is not possible, a recommended workaround is to explicitly duplicate the root context in the application code using the snippet: `((ContextInternal) VertxContext.getRootContext(ctx)).duplicate()`. This prevents data leakage when duplicating a duplicated context. Additionally, migrating VertxMDC to use a custom ContextLocal implementation instead of the deprecated API can help mitigate the issue until a fixed Vert.x version is integrated. [1, 2]