{"api_version":"1","generated_at":"2026-04-22T22:41:04+00:00","cve":"CVE-2025-1634","urls":{"html":"https://cve.report/CVE-2025-1634","api":"https://cve.report/api/cve/CVE-2025-1634.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-1634","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-1634"},"summary":{"title":"Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout","description":"A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.","state":"PUBLISHED","assigner":"redhat","published_at":"2025-02-26 17:15:22","updated_at":"2026-04-20 19:16:08"},"problem_types":["CWE-401","CWE-401 Missing Release of Memory after Effective Lifetime"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2025:1884","name":"https://access.redhat.com/errata/RHSA-2025:1884","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:23417","name":"https://access.redhat.com/errata/RHSA-2025:23417","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:2067","name":"https://access.redhat.com/errata/RHSA-2025:2067","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/quarkusio/quarkus/issues/46412","name":"https://github.com/quarkusio/quarkus/issues/46412","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2347319","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2347319","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/quarkusio/quarkus/pull/46419","name":"https://github.com/quarkusio/quarkus/pull/46419","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:12511","name":"https://access.redhat.com/errata/RHSA-2025:12511","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:1885","name":"https://access.redhat.com/errata/RHSA-2025:1885","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2025:9922","name":"https://access.redhat.com/errata/RHSA-2025:9922","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2025-1634","name":"https://access.redhat.com/security/cve/CVE-2025-1634","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-1634","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1634","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Build of Apache Camel 4.8 for Quarkus 3.15","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Quarkus 3.15.3.SP1","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Quarkus 3.8.6.SP3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Streams for Apache Kafka 2.9.1","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Streams for Apache Kafka 3.0.0","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Streams for Apache Kafka 3.1.0","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2025-02-24T14:17:31.237Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2025-02-24T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"1634","cve":"CVE-2025-1634","epss":"0.004620000","percentile":"0.642590000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2025-1634","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-02-26T17:22:33.342704Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2025-02-26T17:25:47.506Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://github.com/quarkusio/quarkus","defaultStatus":"unaffected","packageName":"quarkus-resteasy","versions":[{"lessThan":"3.8.6","status":"affected","version":"0","versionType":"semver"},{"lessThan":"3.15.3","status":"affected","version":"0","versionType":"semver"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:camel_quarkus:3.15"],"defaultStatus":"unaffected","packageName":"quarkus-resteasy","product":"Red Hat Build of Apache Camel 4.8 for Quarkus 3.15","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:quarkus:3.15::el8"],"defaultStatus":"unaffected","packageName":"quarkus-resteasy","product":"Red Hat build of Quarkus 3.15.3.SP1","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:quarkus:3.8::el8"],"defaultStatus":"unaffected","packageName":"quarkus-resteasy","product":"Red Hat build of Quarkus 3.8.6.SP3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:amq_streams:2.9::el9"],"defaultStatus":"unaffected","product":"Streams for Apache Kafka 2.9.1","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:amq_streams:3.0::el9"],"defaultStatus":"unaffected","product":"Streams for Apache Kafka 3.0.0","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:amq_streams:3.1::el9"],"defaultStatus":"unaffected","packageName":"quarkus-resteasy","product":"Streams for Apache Kafka 3.1.0","vendor":"Red Hat"}],"datePublic":"2025-02-24T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-401","description":"Missing Release of Memory after Effective Lifetime","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-20T18:50:51.922Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2025:12511","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:12511"},{"name":"RHSA-2025:1884","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:1884"},{"name":"RHSA-2025:1885","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:1885"},{"name":"RHSA-2025:2067","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:2067"},{"name":"RHSA-2025:23417","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:23417"},{"name":"RHSA-2025:9922","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2025:9922"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2025-1634"},{"name":"RHBZ#2347319","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2347319"},{"url":"https://github.com/quarkusio/quarkus/issues/46412"},{"url":"https://github.com/quarkusio/quarkus/pull/46419"}],"timeline":[{"lang":"en","time":"2025-02-24T14:17:31.237Z","value":"Reported to Red Hat."},{"lang":"en","time":"2025-02-24T00:00:00.000Z","value":"Made public."}],"title":"Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-401: Missing Release of Memory after Effective Lifetime"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2025-1634","datePublished":"2025-02-26T16:56:23.869Z","dateReserved":"2025-02-24T14:23:22.369Z","dateUpdated":"2026-04-20T18:50:51.922Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-02-26 17:15:22","lastModifiedDate":"2026-04-20 19:16:08","problem_types":["CWE-401","CWE-401 Missing Release of Memory after Effective Lifetime"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"1634","Ordinal":"1","Title":"Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy cla","CVE":"CVE-2025-1634","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"1634","Ordinal":"1","NoteData":"A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.","Type":"Description","Title":"Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy cla"}]}}}