CVE-2025-66560: Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write

January 7, 2026

A vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application.

References

github.com/advisories/GHSA-5rfx-cp42-p624
github.com/quarkusio/quarkus
github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624
nvd.nist.gov/vuln/detail/CVE-2025-66560

Code Behaviors & Features

Detect and mitigate CVE-2025-66560 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →