CVE-2025-1247 in REST
Summary
by MITRE • 02/13/2025
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/23/2026
This vulnerability exists within the Quarkus framework's REST implementation where improper field injection handling creates a cross-request data leakage scenario. The flaw specifically manifests when REST endpoints utilize field injection patterns without proper CDI scoping mechanisms, creating a condition where request parameters can persist across concurrent HTTP requests. The underlying technical issue stems from the framework's failure to properly isolate request-scoped variables, allowing state information to leak between different client interactions. This represents a classic case of improper resource management where the framework does not adequately clear or reset field injection targets between requests, creating a persistent data contamination vector.
The operational impact of this vulnerability extends beyond simple data leakage to encompass serious security implications including credential theft, user impersonation, and unauthorized data access. Attackers can exploit this weakness by crafting specific request sequences that manipulate the injected fields, potentially accessing data belonging to other users or extracting sensitive information from the application's internal state. The vulnerability particularly affects applications that rely on field injection for dependency management or parameter binding, making it prevalent in typical Quarkus REST applications. This flaw directly violates security principles related to request isolation and proper state management, creating a persistent threat that can be exploited across multiple concurrent connections.
From a security standards perspective, this vulnerability aligns with CWE-691 which addresses inadequate protection of data during concurrent access scenarios, and CWE-353 which covers issues related to insufficient data protection during processing. The attack pattern follows typical privilege escalation techniques described in the MITRE ATT&CK framework under T1078 for valid accounts and T1566 for social engineering. The vulnerability also demonstrates characteristics of insecure data handling practices that could lead to data exposure and unauthorized access scenarios. The lack of proper CDI scoping creates a persistent state contamination issue that can be leveraged for information disclosure and access control bypass.
Mitigation strategies should focus on implementing proper CDI scoping for all field injection points within REST endpoints, ensuring that request-scoped beans are properly managed and cleared between concurrent requests. Developers should avoid field injection patterns without explicit scope declarations and instead utilize constructor injection or method injection patterns that provide better isolation guarantees. The framework should enforce proper request boundary management and implement automatic clearing of field injection targets between requests. Additionally, application architects should implement comprehensive monitoring for unusual parameter patterns and establish proper access controls to limit the impact of potential exploitation. Regular security testing should include concurrent request testing to identify similar field injection vulnerabilities, and defensive programming practices should be enforced through code review processes and automated security scanning tools.