Quarkus
by Quarkusio
Source repositories
CVEs (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-50559 | imp | 0.49 | 7.5 | 0.00 | Jun 17, 2026 | io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters | ||
| CVE-2025-1247 | Hig | 0.47 | 8.3 | 0.01 | Feb 13, 2025 | A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information. | ||
| CVE-2026-39852 | Hig | 0.46 | 8.2 | 0.00 | May 5, 2026 | Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged… | ||
| CVE-2025-1634 | Hig | 0.42 | 7.5 | 0.01 | Feb 26, 2025 | A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to… | ||
| CVE-2024-12397 | Hig | 0.41 | 7.4 | 0.01 | Dec 12, 2024 | A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values,… | ||
| CVE-2024-2700 | Hig | 0.39 | 7.0 | 0.00 | Apr 4, 2024 | A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment… | ||
| CVE-2025-49574 | Med | 0.35 | 6.4 | 0.00 | Jun 23, 2025 | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement… | ||
| CVE-2023-5675 | Med | 0.35 | 6.5 | 0.00 | Apr 25, 2024 | A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is… | ||
| CVE-2024-1726 | Med | 0.28 | 5.3 | 0.01 | Apr 25, 2024 | A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has… | ||
| CVE-2024-1979 | Low | 0.16 | 3.5 | 0.01 | Mar 13, 2024 | A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk. | ||
| CVE-2022-2466 | 0.01 | — | 0.01 | Aug 31, 2022 | It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. | |||
| CVE-2025-66560 | 0.00 | — | 0.00 | Jan 7, 2026 | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits… | |||
| CVE-2024-12225 | 0.00 | — | 0.00 | May 6, 2025 | A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST… | |||
| CVE-2023-5720 | 0.00 | — | 0.01 | Nov 15, 2023 | A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application. | |||
| CVE-2023-1584 | 0.00 | — | 0.01 | Oct 4, 2023 | A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data… | |||
| CVE-2022-4147 | 0.00 | — | 0.01 | Dec 6, 2022 | Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no… | |||
| CVE-2022-4116 | 0.00 | — | 0.33 | Nov 22, 2022 | A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution. | |||
| CVE-2022-0981 | 0.00 | — | 0.01 | Mar 23, 2022 | A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended. |
- risk 0.49cvss 7.5epss 0.00
io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters
- risk 0.47cvss 8.3epss 0.01
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
- risk 0.46cvss 8.2epss 0.00
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged…
- risk 0.42cvss 7.5epss 0.01
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to…
- risk 0.41cvss 7.4epss 0.01
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values,…
- risk 0.39cvss 7.0epss 0.00
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment…
- risk 0.35cvss 6.4epss 0.00
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement…
- risk 0.35cvss 6.5epss 0.00
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is…
- risk 0.28cvss 5.3epss 0.01
A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has…
- risk 0.16cvss 3.5epss 0.01
A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.
- CVE-2022-2466Aug 31, 2022risk 0.01cvss —epss 0.01
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.
- CVE-2025-66560Jan 7, 2026risk 0.00cvss —epss 0.00
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits…
- CVE-2024-12225May 6, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST…
- CVE-2023-5720Nov 15, 2023risk 0.00cvss —epss 0.01
A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application.
- CVE-2023-1584Oct 4, 2023risk 0.00cvss —epss 0.01
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data…
- CVE-2022-4147Dec 6, 2022risk 0.00cvss —epss 0.01
Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no…
- CVE-2022-4116Nov 22, 2022risk 0.00cvss —epss 0.33
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.
- CVE-2022-0981Mar 23, 2022risk 0.00cvss —epss 0.01
A flaw was found in Quarkus. The state and potentially associated permissions can leak from one web request to another in RestEasy Reactive. This flaw allows a low-privileged user to perform operations on the database with a different set of privileges than intended.