High severity7.4NVD Advisory· Published Dec 12, 2024· Updated Apr 15, 2026

CVE-2024-12397

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.quarkus.http:quarkus-http-coreMaven	< 5.3.4	5.3.4

Patches

cfc99d80fce2

Merge pull request #170 from aloubyansky/cookie-improper-quotes

https://github.com/quarkusio/quarkus-httpClement EscoffierDec 9, 2024via ghsa

commit

2 files changed · +17 −0

core/src/main/java/io/undertow/util/Cookies.java+3 −0 modified

@@ -271,6 +271,9 @@ private static void parseCookie(final String cookie, final Map<String, Cookie> p
                         cookieCount = createCookie(name, cookie.substring(start, i), maxCookies, cookieCount, cookies, additional);
                         state = 0;
                         start = i + 1;
+                    } else if (c == ';' || (commaIsSeperator && c == ',')) {
+                        state = 0;
+                        start = i + 1;
                     }
                     break;
                 }

core/src/test/java/io/undertow/util/CookiesTestCase.java+14 −0 modified

@@ -362,4 +362,18 @@ public void testInvalidRfc6265CookieInDomain() {
         Rfc6265CookieSupport.validateDomain(cookie.getDomain());
     }
 
+    @Test
+    public void testNoDoubleQuoteTermination() {
+        Map<String, Cookie> cookies = Cookies.parseRequestCookies(4, false, Arrays.asList("CUSTOMER=\"WILE_E_COYOTE\"; BAD=\"X; SHIPPING=FEDEX"), true);
+        Assert.assertEquals(2, cookies.size());
+        Cookie cookie = cookies.get("CUSTOMER");
+        Assert.assertEquals("CUSTOMER", cookie.getName());
+        Assert.assertEquals("WILE_E_COYOTE", cookie.getValue());
+        cookie = cookies.get("BAD");
+        Assert.assertNull(cookie);
+        cookie = cookies.get("SHIPPING");
+        Assert.assertEquals("SHIPPING", cookie.getName());
+        Assert.assertEquals("FEDEX", cookie.getValue());
+        Assert.assertNotNull(cookie);
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cxrx-q234-m22mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-12397ghsaADVISORY
access.redhat.com/errata/RHSA-2025:0900nvdWEB
access.redhat.com/errata/RHSA-2025:1082ghsaWEB
access.redhat.com/errata/RHSA-2025:3018nvdWEB
access.redhat.com/errata/RHSA-2025:8761nvdWEB
access.redhat.com/security/cve/CVE-2024-12397nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
github.com/quarkusio/quarkus-http/commit/cfc99d80fce2e3a3dbf06972e648e79e925a7ae7ghsaWEB
github.com/quarkusio/quarkus-http/pull/170ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000