CVE-2025-1247 - How a Quarkus REST Field Injection Flaw Puts Your Java APIs at Risk

If you’re building Java APIs with Quarkus REST, you want performance and reliability. But the recent vulnerability CVE-2025-1247 exposes critical risks—allowing attackers to steal data or impersonate users due to a classic concurrency issue. In this post, I’ll break down what this vulnerability is, how it happens, how to spot it, and how you can fix or avoid it. If you use Quarkus or support Java RESTful services, you can’t afford to skip this one.

What Is CVE-2025-1247?

Discovered in early 2025, CVE-2025-1247 points to a flaw in the popular Quarkus REST stack. If your endpoints use *field injection* for request parameters (using @PathParam, @QueryParam, etc.) without a CDI scope like @RequestScoped, then concurrent HTTP requests may see each other’s parameters.

In other words, request data can "leak" between different user sessions. This means one user can accidentally (or maliciously) access another's data—or even impersonate them.

Quarkus REST allows you to inject HTTP parameters straight into Java fields

@Path("/hello")
public class HelloResource {
    @QueryParam("user")
    String user; // No scope annotation!

    @GET
    public String hello() {
        return "Hello " + user;
    }
}

If you don’t annotate the resource with a scope (@RequestScoped, @ApplicationScoped, etc.), Quarkus by default keeps a single instance of the class—a singleton. This leads to a shared variable (user in this case) for every request. When two requests hit this endpoint at the same time, one’s data can overwrite another’s, leading to classic race condition bugs.

A Practical Exploit Scenario

Suppose two users call /hello?user=alice and /hello?user=bob at almost the same time. Without proper scoping, both might get "Hello bob", or worse: what if you’re dealing with tokens or credentials instead of the simple user field?

Let’s see a basic REST resource you might have in a vulnerable Quarkus service

@Path("/account")
public class AccountResource {
    @QueryParam("accountId")
    String accountId; // Shared among all requests!

    @GET
    public String getAccountBalance() {
        // Imagine there's logic here to look up the balance by accountId
        return "Account " + accountId + " has $100 balance";
    }
}

If two users hit /account?accountId=123 and /account?accountId=456 at the same moment, they might receive the wrong information or leak account numbers.

Below is a simple Python script that demonstrates the race condition

import requests
import threading

def get_balance(account_id):
    resp = requests.get(f"http://localhost:808/account?accountId={account_id}";)
    print(f"Response for {account_id}: {resp.text}")

# Simulate two concurrent requests
threads = []
for aid in ['111111', '222222']:
    t = threading.Thread(target=get_balance, args=(aid,))
    threads.append(t)
    t.start()

for t in threads:
    t.join()

In output, you may see both requests print Response for 222222: Account 222222 has $100 balance, demonstrating parameter confusion.

How Serious Is CVE-2025-1247?

This is a critical concurrency bug. It is not just theoretical—real world services with private, personal, or authentication-relevant parameters are at significant risk. Attackers can sometimes “wait” for high-value targets in shared hosting, or script attacks to land their queries alongside targets at just the right millisecond.

How Do You Fix It?

If you use field injection (@QueryParam, @PathParam, etc.), always annotate your resources with @RequestScoped. This ensures a new instance is used per HTTP request, not persisted across threads.

The correct pattern

import jakarta.enterprise.context.RequestScoped;
import jakarta.ws.rs.*;

@Path("/safe")
@RequestScoped // <-- This is the fix!
public class SafeResource {
    @QueryParam("id")
    String id;

    @GET
    public String get() {
        return "You requested ID: " + id;
    }
}

Alternatively, use method parameters instead of field variables

@Path("/noLeak")
public class NoLeakResource {
    @GET
    public String get(@QueryParam("id") String id) {
        return "You requested ID: " + id;
    }
}

Why Method Parameters Work

Method parameters are mapped anew for each request and don’t suffer from shared state between calls—the JVM and servlet engine guarantee this isolation.

Quarkus REST users who use field injection without a CDI scope annotation.

- Versions: See Red Hat’s advisory and Quarkus issue tracker for specific affected versions.

Official References

- CVE-2025-1247 MITRE entry
- Red Hat Security Advisory
- Quarkus GitHub: Related Pull Request
- Jakarta RESTful Web Services Spec

Closing Advice

- Audit all your REST resources for field injections and missing @RequestScoped or other appropriate scopes.

If you use method parameters for your REST endpoints, you are safe.

- If your API handles sensitive data anywhere in path, query, header, or cookie parameters—be extra careful!

Update to the latest Quarkus version once patches are available.

Security bugs like CVE-2025-1247 often look simple but can have dramatic impact. Don’t let your app be the next headline. Audit, test, and fix!


Share this post with your Quarkus-loving friends! Any questions or needs for code review? Drop them below.


*This write-up is unique for this publication and includes original content, code, and step-by-step advice. Attribution and referencing as needed.*

Timeline

Published on: 02/13/2025 14:16:18 UTC
Last modified on: 03/15/2025 09:18:44 UTC