CVE-2025-66560: Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write

Published Jan 7, 2026
·
Updated

A vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. ## Workarounds For versions without the fix applied, it is recommended to implement a health check that monitors the status and saturation of the worker thread pool. This helps detect abnormal thread retention early and allows operators to take corrective action before the application’s responsiveness is impacted. ## Credits CVE reported by Shaswata Jash, Nokia

Affected Software

9 affected componentsFixes available
Quarkus Quarkus REST<3.20.5
Quarkus Quarkus REST>3.20.5<=3.27.2
Quarkus Quarkus REST>3.27.2<=3.31.0
maven/io.quarkus:quarkus-rest>=3.30.0<3.31.0
3.31.0
maven/io.quarkus:quarkus-rest>=3.21.0<3.27.2
3.27.2
maven/io.quarkus:quarkus-rest<3.20.5
3.20.5
Quarkus Quarkus<3.20.5
Quarkus Quarkus>=3.21.0<3.27.2
Quarkus Quarkus>=3.30.0<3.31.0

Event History

Jan 7, 2026
CVE Published
via MITRE·05:33 PM
Data Sourced
via MITRE·05:33 PM
DescriptionSeverityWeakness
Advisory Published
via GitHub·06:09 PM
Data Sourced
via GitHub·06:09 PM
DescriptionSeverityWeaknessAffected Software
Data Sourced
via NVD·06:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 PM
Affected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-66560?

The severity of CVE-2025-66560 is considered to be significant due to its impact on the HTTP response handling in Quarkus REST.

2

How do I fix CVE-2025-66560?

To fix CVE-2025-66560, upgrade to Quarkus versions 3.31.0, 3.27.2, or 3.20.5 or later.

3

What versions of Quarkus are affected by CVE-2025-66560?

CVE-2025-66560 affects Quarkus versions prior to 3.31.0, 3.27.2, and 3.20.5.

4

What kind of functionality is impacted by CVE-2025-66560?

CVE-2025-66560 impacts the HTTP layer of Quarkus REST, specifically related to how responses are handled.

5

Is CVE-2025-66560 a remote code execution vulnerability?

CVE-2025-66560 is not a remote code execution vulnerability, but it poses risks associated with improper response handling.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203