VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Feb 26, 2025· Updated Apr 20, 2026

CVE-2025-1634

CVE-2025-1634

Description

A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.quarkus:quarkus-resteasyMaven
>= 3.16.0.CR1, < 3.19.13.19.1
io.quarkus:quarkus-resteasyMaven
>= 3.9.0.CR1, < 3.15.3.13.15.3.1
io.quarkus:quarkus-resteasyMaven
< 3.8.6.13.8.6.1

Patches

4
30d949a4c54b

Merge pull request #46425 from gsmet/fix-re-os

https://github.com/quarkusio/quarkusGuillaume SmetFeb 26, 2025via ghsa
commit
1 file changed · +11 1
  • extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/VertxHttpResponse.java+11 1 modified
    @@ -138,8 +138,18 @@ private void transformHeadersList(final String key, final List<Object> valueList
 
     public void finish() throws IOException {
         checkException();
-        if (finished || response.ended() || response.closed())
+
+        if (finished || response.ended() || response.closed()) {
+            if (os != null) {
+                try {
+                    os.close();
+                    os = null;
+                } catch (Exception ignored) {
+
+                }
+            }
             return;
+        }
         try {
             if (os != null) {
                 os.close(); // this will end() vertx response
70ffbd00d71d

Merge pull request #46426 from gsmet/fix-re-os-3.15

https://github.com/quarkusio/quarkusGuillaume SmetFeb 25, 2025via ghsa
commit
1 file changed · +11 1
  • extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/VertxHttpResponse.java+11 1 modified
    @@ -138,8 +138,18 @@ private void transformHeadersList(final String key, final List<Object> valueList
 
     public void finish() throws IOException {
         checkException();
-        if (finished || response.ended() || response.closed())
+
+        if (finished || response.ended() || response.closed()) {
+            if (os != null) {
+                try {
+                    os.close();
+                    os = null;
+                } catch (Exception ignored) {
+
+                }
+            }
             return;
+        }
         try {
             if (os != null) {
                 os.close(); // this will end() vertx response
80b8eb41678c

Always close OutputStream in RESTEasy Classic

https://github.com/quarkusio/quarkusGeorgios AndrianakisFeb 21, 2025via ghsa
commit
1 file changed · +11 1
  • extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/VertxHttpResponse.java+11 1 modified
    @@ -138,8 +138,18 @@ private void transformHeadersList(final String key, final List<Object> valueList
 
     public void finish() throws IOException {
         checkException();
-        if (finished || response.ended() || response.closed())
+
+        if (finished || response.ended() || response.closed()) {
+            if (os != null) {
+                try {
+                    os.close();
+                    os = null;
+                } catch (Exception ignored) {
+
+                }
+            }
             return;
+        }
         try {
             if (os != null) {
                 os.close(); // this will end() vertx response
291296befabf

Always close OutputStream in RESTEasy Classic

https://github.com/quarkusio/quarkusGeorgios AndrianakisFeb 21, 2025via ghsa
commit
1 file changed · +11 1
  • extensions/resteasy-classic/resteasy/runtime/src/main/java/io/quarkus/resteasy/runtime/standalone/VertxHttpResponse.java+11 1 modified
    @@ -138,8 +138,18 @@ private void transformHeadersList(final String key, final List<Object> valueList
 
     public void finish() throws IOException {
         checkException();
-        if (finished || response.ended() || response.closed())
+
+        if (finished || response.ended() || response.closed()) {
+            if (os != null) {
+                try {
+                    os.close();
+                    os = null;
+                } catch (Exception ignored) {
+
+                }
+            }
             return;
+        }
         try {
             if (os != null) {
                 os.close(); // this will end() vertx response

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

18

News mentions

0

No linked articles in our index yet.