Medium severity6.4NVD Advisory· Published Jun 23, 2025· Updated Apr 15, 2026
CVE-2025-49574
CVE-2025-49574
Description
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.1, 3.20.2, and 3.15.6.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.quarkus:quarkus-vertxMaven | < 3.15.6 | 3.15.6 |
io.quarkus:quarkus-vertxMaven | >= 3.16.0.CR1, < 3.20.2 | 3.20.2 |
io.quarkus:quarkus-vertxMaven | >= 3.21.0.CR1, < 3.24.1 | 3.24.1 |
Patches
42b58f59f4bf0Merge pull request #48486 from jponge/deps/mutiny-vertx-3.19.1-vertx-4.5.16
7 files changed · +122 −59
bom/application/pom.xml+3 −3 modified@@ -46,7 +46,7 @@ <microprofile-jwt.version>2.1</microprofile-jwt.version> <microprofile-lra.version>2.0.1</microprofile-lra.version> <microprofile-openapi.version>4.0.2</microprofile-openapi.version> - <smallrye-common.version>2.12.0</smallrye-common.version> + <smallrye-common.version>2.12.2</smallrye-common.version> <smallrye-config.version>3.13.2</smallrye-config.version> <smallrye-health.version>4.2.0</smallrye-health.version> <smallrye-metrics.version>4.0.0</smallrye-metrics.version> @@ -57,7 +57,7 @@ <smallrye-context-propagation.version>2.2.1</smallrye-context-propagation.version> <smallrye-reactive-streams-operators.version>1.0.13</smallrye-reactive-streams-operators.version> <smallrye-reactive-types-converter.version>3.0.3</smallrye-reactive-types-converter.version> - <smallrye-mutiny-vertx-binding.version>3.19.0</smallrye-mutiny-vertx-binding.version> + <smallrye-mutiny-vertx-binding.version>3.19.1</smallrye-mutiny-vertx-binding.version> <smallrye-reactive-messaging.version>4.28.0</smallrye-reactive-messaging.version> <smallrye-stork.version>2.7.3</smallrye-stork.version> <jakarta.activation.version>2.1.3</jakarta.activation.version> @@ -111,7 +111,7 @@ <wildfly-elytron.version>2.6.4.Final</wildfly-elytron.version> <jboss-marshalling.version>2.2.3.Final</jboss-marshalling.version> <jboss-threads.version>3.9.1</jboss-threads.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> <httpclient.version>4.5.14</httpclient.version> <httpcore.version>4.4.16</httpcore.version> <httpasync.version>4.1.5</httpasync.version>
docs/src/main/asciidoc/messaging.adoc+19 −27 modified@@ -656,21 +656,18 @@ This means that context captured through Emitters won't be propagated to the out This behaviour can be configured using `quarkus.messaging.connector-context-propagation` configuration property, by listing the context types to propagate. For example `quarkus.messaging.connector-context-propagation=CDI` will only propagate the CDI context. -<<internal-channels>> however do propagate the context, as they are part of the same application and the context is not lost. +=== Context Propagation with Emitters -For example, you might want to propagate the caller context from an incoming HTTP request to the message processing stage. -For emitters, it is recommended to use the `MutinyEmitter`, as it exposes methods such as `sendAndAwait` that makes sure to wait until a message processing is terminated. +When using messaging emitters, the context is not propagated by default. -[WARNING] -==== -The execution context to which the RequestScoped context is bound, in the previous example the REST call, controls the lifecycle of the context. -This means that when the REST call is completed the RequestScoped context is destroyed. -Therefore, you need to make sure that your processing or message dispatch is completed before the REST call completes. +In some scenarios, you might want to propagate the caller context to the message processing stage, using <<internal-channels,internal channels>>. -For more information check the xref:context-propagation.adoc#context-propagation-for-cdi[Context Propagation] guide. -==== +Quarkus provides `ContextualEmitter`, a drop in replacement for `MutinyEmitter` and `Emitter`, that allows you to propagate the context when sending messages. +You can use the context propagation annotation `@CurrentThreadContext` to configure the contexts that will be propagated from an _emitter_ method. +The annotation configures the contexts that will be captured and propagated from that method, +and needs to be present on the propagator method, i.e. the caller of the emitter, not the processing method. -For example, let `RequestScopedBean` a request-scoped bean, `MutinyEmitter` can be used to dispatch messages locally through the internal channel `app`: +Let `RequestScopedBean` a request-scoped bean, `ContextualEmitter` can be used to dispatch messages locally through the internal channel `app`: [source, java] ---- @@ -681,19 +678,15 @@ import jakarta.ws.rs.Path; import jakarta.ws.rs.core.MediaType; import org.eclipse.microprofile.reactive.messaging.Channel; -import io.smallrye.reactive.messaging.MutinyEmitter; import io.quarkus.logging.Log; - -import io.smallrye.mutiny.Uni; -import io.vertx.core.Context; -import io.vertx.core.Vertx; +import io.quarkus.smallrye.reactivemessaging.runtime.ContextualEmitter; @Path("/") public class Resource { @Channel("app") - MutinyEmitter<String> emitter; + ContextualEmitter<String> emitter; @Inject RequestScopedBean requestScopedBean; @@ -736,16 +729,7 @@ public class Processor { } ---- -[TIP] -==== -You can use the context propagation annotation `@CurrentThreadContext` to configure the contexts that will be propagated from an _emitter_ method. -The annotation configures the contexts that will be captured and propagated from that method, -and needs to be present on the propagator method, i.e. the caller of the emitter, not the processing method. - -Because Quarkus Messaging dispatches messages on link:https://smallrye.io/smallrye-reactive-messaging/latest/concepts/message-context[message context], -propagation plans with cleared or not propagated contexts can lead to race conditions using emitters in <<internal-channels,internal channels>>. -It is recommended to use `ContextualEmitter` to ensure the context propagation plan is applied correctly. - +You can also use the `@CurrentThreadContext` annotation to control which contexts are propagated. The following example shows how to avoid propagating any context to the message processing stage: [source, java] @@ -785,7 +769,15 @@ public class Resource { } ---- +[WARNING] ==== +The execution context to which the RequestScoped context is bound, in the previous example the REST call, controls the lifecycle of the context. +This means that when the REST call is completed the RequestScoped context is destroyed. +Therefore, you need to make sure that your processing or message dispatch is completed before the REST call completes. + +For more information check the xref:context-propagation.adoc#context-propagation-for-cdi[Context Propagation] guide. +==== + === Request Context Activation
extensions/smallrye-reactive-messaging/runtime/src/main/java/io/quarkus/smallrye/reactivemessaging/runtime/ContextualEmitterImpl.java+16 −1 modified@@ -18,8 +18,10 @@ import io.smallrye.reactive.messaging.providers.extension.AbstractEmitter; import io.smallrye.reactive.messaging.providers.i18n.ProviderLogging; import io.smallrye.reactive.messaging.providers.locals.ContextAwareMessage; +import io.smallrye.reactive.messaging.providers.locals.LocalContextMetadata; import io.vertx.core.Context; import io.vertx.core.Vertx; +import io.vertx.core.impl.ContextInternal; public class ContextualEmitterImpl<T> extends AbstractEmitter<T> implements ContextualEmitter<T> { @@ -67,7 +69,7 @@ public <M extends Message<? extends T>> Uni<Void> sendMessage(M msg) { // during the emission. Context context = Vertx.currentContext(); // context propagation capture and duplicate the context - var msgUni = Uni.createFrom().item(() -> ContextAwareMessage.withContextMetadata((Message<? extends T>) msg)); + var msgUni = Uni.createFrom().item(() -> createContextualMessage((Message<? extends T>) msg, context)); if (context != null) { msgUni = msgUni.emitOn(r -> context.runOnContext(x -> r.run())); } @@ -97,6 +99,19 @@ public <M extends Message<? extends T>> Uni<Void> sendMessage(M msg) { } } + private static <T, M extends Message<T>> Message<T> createContextualMessage(M msg, Context context) { + if (context == null) { + // No context, return the message with a new context as is. + return ContextAwareMessage.withContextMetadata(msg); + } else { + // create new context and copy local data from previous context + ContextInternal internal = (ContextInternal) context; + ContextInternal newCtx = internal.duplicate(); + newCtx.localContextData().putAll(internal.localContextData()); + return msg.addMetadata(new LocalContextMetadata(newCtx)); + } + } + public static <T> Uni<T> emitter(Consumer<UniEmitter<? super T>> emitter) { return Infrastructure.onUniCreation(new UniCreateWithEmitter<>(emitter)); }
extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/filters/AbstractResponseWrapper.java+5 −0 modified@@ -169,6 +169,11 @@ public HttpServerResponse endHandler(Handler<Void> handler) { return this; } + @Override + public Future<Void> writeHead() { + return delegate.writeHead(); + } + @Override public Future<Void> write(String chunk, String enc) {
independent-projects/resteasy-reactive/pom.xml+2 −2 modified@@ -57,7 +57,7 @@ <mutiny.version>2.9.1</mutiny.version> <smallrye-common.version>2.12.0</smallrye-common.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> <rest-assured.version>5.5.5</rest-assured.version> <commons-logging-jboss-logging.version>1.0.0.Final</commons-logging-jboss-logging.version> <jackson-bom.version>2.19.1</jackson-bom.version> @@ -66,7 +66,7 @@ <yasson.version>3.0.4</yasson.version> <jakarta.json.bind-api.version>3.0.1</jakarta.json.bind-api.version> <awaitility.version>4.3.0</awaitility.version> - <smallrye-mutiny-vertx-core.version>3.19.0</smallrye-mutiny-vertx-core.version> + <smallrye-mutiny-vertx-core.version>3.19.1</smallrye-mutiny-vertx-core.version> <reactive-streams.version>1.0.4</reactive-streams.version> <mockito.version>5.18.0</mockito.version> <wiremock.version>3.13.1</wiremock.version>
independent-projects/vertx-utils/pom.xml+1 −1 modified@@ -17,7 +17,7 @@ <properties> <jboss-logging.version>3.6.1.Final</jboss-logging.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> </properties> <dependencies>
integration-tests/reactive-messaging-context-propagation/src/test/java/io/quarkus/it/kafka/KafkaContextPropagationTest.java+76 −25 modified@@ -22,6 +22,7 @@ public class KafkaContextPropagationTest { @Nested + // FlowerResource class ContextNotPropagated { @Test void testNonBlocking() { @@ -131,6 +132,7 @@ void testVirtualThreadUni() { } @Nested + // FlowerContextualResource class ContextPropagated { @Test void testNonBlocking() { @@ -192,63 +194,112 @@ void testVirtualThreadUni() { } @Nested - class MutinyContextPropagated { + // FlowerMutinyResource + class MutinyContextNotPropagated { @Test void testNonBlocking() { - given().body("rose").post("/flowers/mutiny").then().statusCode(204); - given().body("peony").post("/flowers/mutiny").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny").then().statusCode(204); + given().body("rose").post("/flowers/mutiny").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test void testNonBlockingUni() { - given().body("rose").post("/flowers/mutiny/uni").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/uni").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/uni").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/uni").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/uni").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/uni").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test void testBlocking() { - given().body("rose").post("/flowers/mutiny/blocking").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/blocking").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/blocking").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/blocking").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/blocking").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/blocking").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test void testBlockingUni() { - given().body("rose").post("/flowers/mutiny/uni/blocking").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/uni/blocking").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/uni/blocking").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/uni/blocking").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/uni/blocking").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/uni/blocking").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test void testBlockingNamed() { - given().body("rose").post("/flowers/mutiny/blocking-named").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/blocking-named").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/blocking-named").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/blocking-named").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/blocking-named").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/blocking-named").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test void testBlockingNamedUni() { - given().body("rose").post("/flowers/mutiny/uni/blocking-named").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/uni/blocking-named").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/uni/blocking-named").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/uni/blocking-named").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/uni/blocking-named").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/uni/blocking-named").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test @EnabledForJreRange(min = JRE.JAVA_21) void testVirtualThread() { - given().body("rose").post("/flowers/mutiny/virtual-thread").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/virtual-thread").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/virtual-thread").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/virtual-thread").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/virtual-thread").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/virtual-thread").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } @Test @EnabledForJreRange(min = JRE.JAVA_21) void testVirtualThreadUni() { - given().body("rose").post("/flowers/mutiny/uni/virtual-thread").then().statusCode(204); - given().body("peony").post("/flowers/mutiny/uni/virtual-thread").then().statusCode(204); - given().body("daisy").post("/flowers/mutiny/uni/virtual-thread").then().statusCode(204); + given().body("rose").post("/flowers/mutiny/uni/virtual-thread").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("peony").post("/flowers/mutiny/uni/virtual-thread").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); + given().body("daisy").post("/flowers/mutiny/uni/virtual-thread").then() + .statusCode(500) + .body(assertBodyRequestScopedContextWasNotActive()); } }
31e8a3bfcf4eBackport of #48486 on 3.20
6 files changed · +18 −13
bom/application/pom.xml+6 −6 modified@@ -46,7 +46,7 @@ <microprofile-jwt.version>2.1</microprofile-jwt.version> <microprofile-lra.version>2.0.1</microprofile-lra.version> <microprofile-openapi.version>4.0.2</microprofile-openapi.version> - <smallrye-common.version>2.12.0</smallrye-common.version> + <smallrye-common.version>2.12.2</smallrye-common.version> <smallrye-config.version>3.11.4</smallrye-config.version> <smallrye-health.version>4.2.0</smallrye-health.version> <smallrye-metrics.version>4.0.0</smallrye-metrics.version> @@ -57,8 +57,8 @@ <smallrye-context-propagation.version>2.2.1</smallrye-context-propagation.version> <smallrye-reactive-streams-operators.version>1.0.13</smallrye-reactive-streams-operators.version> <smallrye-reactive-types-converter.version>3.0.3</smallrye-reactive-types-converter.version> - <smallrye-mutiny-vertx-binding.version>3.18.1</smallrye-mutiny-vertx-binding.version> - <smallrye-reactive-messaging.version>4.27.0</smallrye-reactive-messaging.version> + <smallrye-mutiny-vertx-binding.version>3.19.1</smallrye-mutiny-vertx-binding.version> + <smallrye-reactive-messaging.version>4.28.0</smallrye-reactive-messaging.version> <smallrye-stork.version>2.7.3</smallrye-stork.version> <jakarta.activation.version>2.1.3</jakarta.activation.version> <jakarta.annotation-api.version>3.0.0</jakarta.annotation-api.version> @@ -110,7 +110,7 @@ <wildfly-elytron.version>2.6.3.Final</wildfly-elytron.version> <jboss-marshalling.version>2.2.2.Final</jboss-marshalling.version> <jboss-threads.version>3.8.0.Final</jboss-threads.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> <httpclient.version>4.5.14</httpclient.version> <httpcore.version>4.4.16</httpcore.version> <httpasync.version>4.1.5</httpasync.version> @@ -132,11 +132,11 @@ <infinispan.version>15.0.14.Final</infinispan.version> <infinispan.protostream.version>5.0.13.Final</infinispan.protostream.version> <caffeine.version>3.2.0</caffeine.version> - <netty.version>4.1.119.Final</netty.version> + <netty.version>4.1.121.Final</netty.version> <brotli4j.version>1.16.0</brotli4j.version> <reactive-streams.version>1.0.4</reactive-streams.version> <jboss-logging.version>3.6.1.Final</jboss-logging.version> - <mutiny.version>2.8.0</mutiny.version> + <mutiny.version>2.9.2</mutiny.version> <jctools-core.version>4.0.5</jctools-core.version> <kafka3.version>3.9.0</kafka3.version> <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/filters/AbstractResponseWrapper.java+5 −0 modified@@ -169,6 +169,11 @@ public HttpServerResponse endHandler(Handler<Void> handler) { return this; } + @Override + public Future<Void> writeHead() { + return delegate.writeHead(); + } + @Override public Future<Void> write(String chunk, String enc) {
independent-projects/arc/pom.xml+1 −1 modified@@ -47,7 +47,7 @@ <version.gizmo>1.8.0</version.gizmo> <version.jandex>3.3.0</version.jandex> <version.jboss-logging>3.6.1.Final</version.jboss-logging> - <version.mutiny>2.8.0</version.mutiny> + <version.mutiny>2.9.2</version.mutiny> <version.bridger>1.6.Final</version.bridger> <version.smallrye-common>2.12.0</version.smallrye-common> <!-- test versions -->
independent-projects/qute/pom.xml+1 −1 modified@@ -44,7 +44,7 @@ <version.gizmo>1.8.0</version.gizmo> <version.jboss-logging>3.6.1.Final</version.jboss-logging> <version.smallrye-common>2.12.0</version.smallrye-common> - <version.smallrye-mutiny>2.8.0</version.smallrye-mutiny> + <version.smallrye-mutiny>2.9.2</version.smallrye-mutiny> </properties> <modules>
independent-projects/resteasy-reactive/pom.xml+4 −4 modified@@ -56,18 +56,18 @@ <gizmo.version>1.8.0</gizmo.version> <jakarta.persistence-api.version>3.1.0</jakarta.persistence-api.version> - <mutiny.version>2.8.0</mutiny.version> + <mutiny.version>2.9.2</mutiny.version> <smallrye-common.version>2.12.0</smallrye-common.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> <rest-assured.version>5.5.1</rest-assured.version> <commons-logging-jboss-logging.version>1.0.0.Final</commons-logging-jboss-logging.version> <jackson-bom.version>2.18.2</jackson-bom.version> <smallrye-stork.version>2.7.3</smallrye-stork.version> <jakarta.validation-api.version>3.0.2</jakarta.validation-api.version> <yasson.version>3.0.4</yasson.version> <jakarta.json.bind-api.version>3.0.1</jakarta.json.bind-api.version> - <awaitility.version>4.2.2</awaitility.version> - <smallrye-mutiny-vertx-core.version>3.18.1</smallrye-mutiny-vertx-core.version> + <awaitility.version>4.3.0</awaitility.version> + <smallrye-mutiny-vertx-core.version>3.19.1</smallrye-mutiny-vertx-core.version> <reactive-streams.version>1.0.4</reactive-streams.version> <mockito.version>5.16.1</mockito.version> <mutiny-zero.version>1.1.1</mutiny-zero.version>
independent-projects/vertx-utils/pom.xml+1 −1 modified@@ -17,7 +17,7 @@ <properties> <jboss-logging.version>3.6.1.Final</jboss-logging.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> </properties> <dependencies>
d1ee57e7b826Backport of #48486 on 3.15
6 files changed · +19 −14
bom/application/pom.xml+6 −6 modified@@ -50,7 +50,7 @@ <microprofile-reactive-streams-operators.version>3.0.1</microprofile-reactive-streams-operators.version> <microprofile-rest-client.version>3.0.1</microprofile-rest-client.version> <microprofile-jwt.version>2.1</microprofile-jwt.version> - <microprofile-lra.version>2.0</microprofile-lra.version> + <microprofile-lra.version>2.0.1</microprofile-lra.version> <microprofile-openapi.version>3.1.1</microprofile-openapi.version> <smallrye-common.version>2.6.1</smallrye-common.version> <smallrye-config.version>3.9.1</smallrye-config.version> @@ -62,8 +62,8 @@ <smallrye-jwt.version>4.5.3</smallrye-jwt.version> <smallrye-context-propagation.version>2.1.2</smallrye-context-propagation.version> <smallrye-reactive-streams-operators.version>1.0.13</smallrye-reactive-streams-operators.version> - <smallrye-reactive-types-converter.version>3.0.1</smallrye-reactive-types-converter.version> - <smallrye-mutiny-vertx-binding.version>3.16.0</smallrye-mutiny-vertx-binding.version> + <smallrye-reactive-types-converter.version>3.0.3</smallrye-reactive-types-converter.version> + <smallrye-mutiny-vertx-binding.version>3.19.1</smallrye-mutiny-vertx-binding.version> <smallrye-reactive-messaging.version>4.24.0</smallrye-reactive-messaging.version> <smallrye-stork.version>2.6.3</smallrye-stork.version> <jakarta.activation.version>2.1.3</jakarta.activation.version> @@ -115,7 +115,7 @@ <wildfly-elytron.version>2.5.2.Final</wildfly-elytron.version> <jboss-marshalling.version>2.2.1.Final</jboss-marshalling.version> <jboss-threads.version>3.6.1.Final</jboss-threads.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> <httpclient.version>4.5.14</httpclient.version> <httpcore.version>4.4.16</httpcore.version> <httpasync.version>4.1.5</httpasync.version> @@ -137,11 +137,11 @@ <infinispan.version>15.0.14.Final</infinispan.version> <infinispan.protostream.version>5.0.13.Final</infinispan.protostream.version> <caffeine.version>3.1.5</caffeine.version> - <netty.version>4.1.119.Final</netty.version> + <netty.version>4.1.121.Final</netty.version> <brotli4j.version>1.16.0</brotli4j.version> <reactive-streams.version>1.0.4</reactive-streams.version> <jboss-logging.version>3.6.0.Final</jboss-logging.version> - <mutiny.version>2.6.2</mutiny.version> + <mutiny.version>2.9.2</mutiny.version> <jctools-core.version>4.0.5</jctools-core.version> <kafka3.version>3.7.2</kafka3.version> <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/filters/AbstractResponseWrapper.java+5 −0 modified@@ -169,6 +169,11 @@ public HttpServerResponse endHandler(Handler<Void> handler) { return this; } + @Override + public Future<Void> writeHead() { + return delegate.writeHead(); + } + @Override public Future<Void> write(String chunk, String enc) {
independent-projects/arc/pom.xml+1 −1 modified@@ -47,7 +47,7 @@ <version.gizmo>1.8.0</version.gizmo> <version.jandex>3.2.3</version.jandex> <version.jboss-logging>3.6.0.Final</version.jboss-logging> - <version.mutiny>2.6.2</version.mutiny> + <version.mutiny>2.9.2</version.mutiny> <version.bridger>1.6.Final</version.bridger> <version.smallrye-common>2.6.1</version.smallrye-common> <!-- test versions -->
independent-projects/qute/pom.xml+1 −1 modified@@ -44,7 +44,7 @@ <version.gizmo>1.8.0</version.gizmo> <version.jboss-logging>3.6.0.Final</version.jboss-logging> <version.smallrye-common>2.6.1</version.smallrye-common> - <version.smallrye-mutiny>2.6.2</version.smallrye-mutiny> + <version.smallrye-mutiny>2.9.2</version.smallrye-mutiny> </properties> <modules>
independent-projects/resteasy-reactive/pom.xml+4 −4 modified@@ -56,18 +56,18 @@ <gizmo.version>1.8.0</gizmo.version> <jakarta.persistence-api.version>3.1.0</jakarta.persistence-api.version> - <mutiny.version>2.6.2</mutiny.version> + <mutiny.version>2.9.2</mutiny.version> <smallrye-common.version>2.6.1</smallrye-common.version> - <vertx.version>4.5.14</vertx.version> + <vertx.version>4.5.16</vertx.version> <rest-assured.version>5.5.0</rest-assured.version> <commons-logging-jboss-logging.version>1.0.0.Final</commons-logging-jboss-logging.version> <jackson-bom.version>2.17.2</jackson-bom.version> <smallrye-stork.version>2.6.3</smallrye-stork.version> <jakarta.validation-api.version>3.0.2</jakarta.validation-api.version> <yasson.version>3.0.4</yasson.version> <jakarta.json.bind-api.version>3.0.1</jakarta.json.bind-api.version> - <awaitility.version>4.2.2</awaitility.version> - <smallrye-mutiny-vertx-core.version>3.16.0</smallrye-mutiny-vertx-core.version> + <awaitility.version>4.3.0</awaitility.version> + <smallrye-mutiny-vertx-core.version>3.19.1</smallrye-mutiny-vertx-core.version> <reactive-streams.version>1.0.4</reactive-streams.version> <mockito.version>5.12.0</mockito.version> <mutiny-zero.version>1.1.0</mutiny-zero.version>
independent-projects/vertx-utils/pom.xml+2 −2 modified@@ -16,8 +16,8 @@ <name>Ancillary classes for making third party frameworks to run on top of Vert.x</name> <properties> - <jboss-logging.version>3.6.0.Final</jboss-logging.version> - <vertx.version>4.5.14</vertx.version> + <jboss-logging.version>3.6.1.Final</jboss-logging.version> + <vertx.version>4.5.16</vertx.version> </properties> <dependencies>
4d05b77f0699Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-9623-mj7j-p9v4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49574ghsaADVISORY
- github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1nvdWEB
- github.com/quarkusio/quarkus/commit/31e8a3bfcf4e223788615d5ce25eb929ca251275nvdWEB
- github.com/quarkusio/quarkus/commit/d1ee57e7b826872b6355cfec0ae13465840e232cnvdWEB
- github.com/quarkusio/quarkus/issues/48227nvdWEB
- github.com/quarkusio/quarkus/pull/48486nvdWEB
- github.com/quarkusio/quarkus/releases/tag/3.24.1nvdWEB
- github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4nvdWEB
News mentions
0No linked articles in our index yet.