CVE-2022-4116
Description
Quarkus Dev UI is vulnerable to drive-by localhost attacks that allow remote code execution when a developer visits a malicious page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Quarkus Dev UI is vulnerable to drive-by localhost attacks that allow remote code execution when a developer visits a malicious page.
The vulnerability in Quarkus Dev UI Config Editor allows a drive-by localhost attack leading to remote code execution (RCE) [1][2]. The root cause is insufficient protection of internal endpoints when the Dev UI is active in development mode [3].
Exploitation requires the victim to have Quarkus running in dev mode and to visit a malicious webpage [3]. The attack is triggered from a browser, targeting localhost services without authentication [2].
Successful exploitation provides an attacker with code execution on the developer's machine, potentially leading to full compromise of the development environment [1][3]. This is of high severity despite being limited to dev mode.
The vulnerability is patched in Quarkus versions 2.14.2.Final and 2.13.5.Final [3]. As a workaround, users can set a random non-application root path to obscure the Dev UI endpoints [3]. Red Hat Build of Quarkus 2.7 fix is forthcoming [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.quarkus:quarkus-vertx-http-deploymentMaven | >= 2.14.0, < 2.14.2.Final | 2.14.2.Final |
io.quarkus:quarkus-vertx-http-deploymentMaven | < 2.13.5.Final | 2.13.5.Final |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.