Home > Vulnerability Database > CVE-2024-12225

Mend.io Vulnerability Database

CVE-2024-12225

Good to know:

Date: May 6, 2025

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.

Severity Score

9.1

Related Resources (4)

Url: https://access.redhat.com/security/cve/CVE-2024-12225

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-12225

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2330484

Url: https://www.mend.io/vulnerability-database/CVE-2024-12225

Severity Score

9.1

Weakness Type (CWE)

Authentication Bypass Using an Alternate Path or Channel

CWE-288

Top Fix

Upgrade Version

Upgrade to version io.quarkus:quarkus-security-webauthn:3.18.0;https://github.com/quarkusio/quarkus.git - 3.18.0

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-12225

Good to know:

Date: May 6, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?