CVE fixes - February 2025
Today, we released CVE fixes releases for Quarkus 3.8 LTS and 3.15 LTS to address several CVEs.
If you are using these versions and the mentioned components, the update is recommended.
These CVEs are already fixed in Quarkus 3.19.1, so if you are using a non-LTS version, please upgrade to Quarkus 3.19.1 (or to the closest LTS version if you are using an old version).
We addressed the following CVEs:
-
CVE-2025-24970 - Upstream Netty (only for 3.15)
-
CVE-2025-1247 - Quarkus REST - Using field injection for request-scoped elements in REST resources not marked with the request scope could lead to concurrency issues.
-
CVE-2024-12225 (embargo will be lifted soon) - WebAuthn - The callback endpoint was enabled by default. It now requires to be explicitly configured.
-
CVE-2025-1634 (not published yet) - RESTEasy Classic - RESTEasy Classic endpoints may be affected by memory leaks. If you are exposing REST endpoints publicly using the
quarkus-resteasy
extension, the update is highly recommended. Quarkus REST is NOT affected by this CVE.
Únete a nosotros
Valoramos mucho tus comentarios, así que por favor reporta errores, solicita mejoras… ¡Construyamos algo grandioso juntos!
Si eres un usuario de Quarkus o simplemente tienes curiosidad, no seas tímido y únete a nuestra acogedora comunidad:
-
proporcionar retroalimentación en GitHub;
-
escribir algo de código y enviar push a PR;
-
comentar con nosotros en Zulip y en nuestra lista de correo;
-
hacer tus preguntas en Stack Overflow.