CVE-2025-66560

HIGH EPSS 26.8%

Published Jan 7, 20265mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jan 7, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

26.8% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-770

Affected Products 3

Vendor	Product	Version	Range
quarkus	quarkus	*	<3.20.5
quarkus	quarkus	*	≥3.21.0 – <3.27.2
quarkus	quarkus	*	≥3.30.0 – <3.31.0

References 1

github.com https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.