CVE-2025-66560
Thread Exhaustion Vulnerability in Quarkus REST HTTP Response Handling
Publication date: 2026-01-07
Last updated on: 2026-02-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quarkus | quarkus | to 3.30.6 (exc) |
| quarkus | quarkus | to 3.20.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the HTTP layer of the Quarkus REST framework in certain versions before 3.31.0, 3.27.2, and 3.20.5. When the server is writing a response, it waits for previously sent response chunks to be fully transmitted before continuing. If the client connection drops during this waiting period, the worker thread handling the response becomes permanently blocked and is never released. Over time, repeated occurrences can exhaust the pool of available worker threads, leading to degraded performance or complete unavailability of the application. [1]
How can this vulnerability impact me? :
The vulnerability can cause worker thread starvation in the Quarkus REST framework, which means that worker threads become permanently blocked and unavailable. Under sustained or repeated client connection drops, this can exhaust the worker thread pool, resulting in degraded application performance or even complete unavailability, impacting the availability of your application. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by implementing health checks that monitor the status and saturation of the worker thread pool to detect abnormal thread retention early. Specific commands are not provided, but monitoring tools or custom scripts that track worker thread pool usage and thread blocking in the Quarkus REST framework would be appropriate. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Quarkus to patched versions 3.31.0, 3.27.2, or 3.20.5. If upgrading is not immediately possible, implement health checks to monitor worker thread pool saturation to detect and respond to abnormal thread retention early. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability impacts the availability of the application by causing worker thread exhaustion and potential unavailability, but it does not affect confidentiality or integrity. There is no specific information provided about its direct effect on compliance with standards like GDPR or HIPAA. [1]