CVE-2025-14969
Connection Pool Leak in Hibernate Reactive Causes DoS Vulnerability
Publication date: 2026-01-26
Last updated on: 2026-02-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hibernate | hibernate_reactive | to 2423822 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-772 | The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14969 is a vulnerability in Hibernate Reactive where if a remote client prematurely closes an HTTP connection during database operations, it can cause database connections to leak from the connection pool. This leak can exhaust available connections, potentially causing a Denial of Service (DoS). [1]
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) by exhausting the database connection pool. When connections leak due to premature client disconnections, the application may run out of available database connections, causing service unavailability and impacting the reliability and availability of your system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the database connection pool usage for leaks, especially after HTTP clients disconnect prematurely. You can check for an unusually high number of active or leaked connections in your database connection pool. Commands to monitor database connections depend on your database system; for example, for PostgreSQL, you can use: `SELECT * FROM pg_stat_activity;` to view active connections. Additionally, monitoring your application logs for errors related to connection pool exhaustion or unexpected client disconnects can help detect this issue. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper handling of client disconnects in your application to ensure database connections are released back to the pool promptly. You should also monitor and limit the maximum number of connections in the pool to prevent exhaustion. Applying any available patches or updates from Hibernate Reactive that address this issue is recommended once released. Additionally, consider implementing timeouts or connection validation to detect and close leaked connections. [1]