Description

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.

INFO

Published Date :

2026-01-07T17:33:22.083Z

Last Modified :

2026-01-07T17:59:59.091Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66560 vulnerability.

Vendors Products
Quarkus
  • Quarkus
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66560.

URL Resource
https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-66560 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-66560 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact