CVE-2025-1634: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout
(updated )
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.
References
- access.redhat.com/errata/RHSA-2025:1884
- access.redhat.com/errata/RHSA-2025:1885
- access.redhat.com/errata/RHSA-2025:2067
- access.redhat.com/security/cve/CVE-2025-1634
- bugzilla.redhat.com/show_bug.cgi?id=2347319
- github.com/advisories/GHSA-4fwr-mh5q-hchh
- github.com/quarkusio/quarkus
- github.com/quarkusio/quarkus/commit/291296befabf659b71acbfc6e03a12bd09a920f8
- github.com/quarkusio/quarkus/commit/30d949a4c54ba1057738849a804d2329c09e57be
- github.com/quarkusio/quarkus/commit/70ffbd00d71d43afa7eade32d6ed586cf927c237
- github.com/quarkusio/quarkus/commit/80b8eb41678cdccb46e964dc324d048a5ef00f4b
- github.com/quarkusio/quarkus/issues/46412
- github.com/quarkusio/quarkus/pull/46425
- github.com/quarkusio/quarkus/pull/46426
- nvd.nist.gov/vuln/detail/CVE-2025-1634
Code Behaviors & Features
Detect and mitigate CVE-2025-1634 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →