Home > Vulnerability Database > CVE-2025-49574

Mend.io Vulnerability Database

CVE-2025-49574

Good to know:

Date: June 23, 2025

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0.

Severity Score

6.4

Related Resources (6)

Url: https://github.com/quarkusio/quarkus/issues/48227

Url: https://github.com/quarkusio/quarkus

Url: https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1

Url: https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-49574

Url: https://www.mend.io/vulnerability-database/CVE-2025-49574

Severity Score

6.4

Weakness Type (CWE)

Exposure of Resource to Wrong Sphere

CWE-668

Top Fix

Upgrade Version

Upgrade to version io.quarkus:quarkus-vertx:3.24.0;https://github.com/quarkusio/quarkus.git - no_fix

Learn More

CVSS v3.1

Base Score:	6.4
Attack Vector (AV):	ADJACENT_NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-49574

Good to know:

Date: June 23, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?