#VU121068 Resource management error in Quarkus - CVE-2025-66560
Published: January 7, 2026
Vulnerability identifier: #VU121068
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-66560
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Quarkus
Quarkus
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. A remote attacker can initiate multiple requests to the server and keep dropping the connections exhausting the available worker threads.
Remediation
Install updates from vendor's website.