CVE-2025-49574: Quarkus potential data leak when duplicating a duplicated context

Published Jun 23, 2025
·
Updated

Impact

Vert.x 4.5.12 has changed the semantics of the duplication of duplicated context.

Duplicated context is an object used to propagate data through a processing (synchronous or asynchronous). Each "transaction" or "processing" runs on its own isolated duplicated context.

Initially, duplicating a duplicated context was creating a fresh (empty) new context, meaning that the new duplicated context can be used to managed a separated transaction.

In Vert.x 4.5.12, this semantics has changed, and since the content of the parent duplicated context is copied into the new one, potentially leaking data.

This CVE is especially for Quarkus as Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior.

A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places:

- Quarkus REST Client when using OTel (but it's the same transaction, so no leak) - Quarkus Messaging connectors - Quarkus SmallRye Health (same transaction, so no leak)

Patches

After discussion with the Vert.x team, the change will be rolled back in Vert.x 4.x. A new API will be added to Vert.x 5 do distinguish the 2 cases.

Workarounds

When duplicating a duplicated context, the following code can be done to avoid the potential leak:

java ((ContextInternal) VertxContext.getRootContext(ctx)).duplicate()

This workaround would not be required once the Vert.x version containing the fix will be included. Note that the workaround would still work.

References

This issue have been reported in https://github.com/quarkusio/quarkus/issues/48227.

Other sources

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0.

NVD

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.1, 3.20.2, and 3.15.6, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.1, 3.20.2, and 3.15.6.

MITRE

Affected Software

4 affected componentsFixes available
maven/io.quarkus:quarkus-vertx>=3.21.0.CR1<3.24.0
3.24.0
maven/io.quarkus:quarkus-vertx>=3.16.0.CR1<=3.20.1
maven/io.quarkus:quarkus-vertx<=3.15.5
IBM Concert Software<=1.0.0-2.1.0

Event History

Jun 23, 2025
Advisory Published
via GitHub·06:53 PM
Data Sourced
via GitHub·06:53 PM
DescriptionSeverityWeaknessAffected Software
CVE Published
via MITRE·07:47 PM
Data Sourced
via MITRE·07:47 PM
DescriptionSeverityWeakness
Data Sourced
via Red Hat·08:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeakness
Feb 10, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-49574?

CVE-2025-49574 has been classified as a moderate severity vulnerability due to its potential impact on data propagation in applications using Vert.x.

2

How do I fix CVE-2025-49574?

To fix CVE-2025-49574, upgrade to Vert.x version 4.5.13 or later, which addresses the issues related to duplicated context semantics.

3

Which versions of Quarkus are affected by CVE-2025-49574?

Quarkus versions from 3.15.5 to 3.24.0 are affected by CVE-2025-49574.

4

What are the impacts of CVE-2025-49574 on my application?

The primary impact of CVE-2025-49574 involves the incorrect handling of duplicated context, potentially leading to data inconsistency during processing.

5

Is there a workaround for CVE-2025-49574?

Currently, there are no recommended workarounds for CVE-2025-49574 besides upgrading to a patched version of the software.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203