CVE fixes - February 2025
Today, we released CVE fixes releases for Quarkus 3.8 LTS and 3.15 LTS to address several CVEs.
If you are using these versions and the mentioned components, the update is recommended.
These CVEs are already fixed in Quarkus 3.19.1, so if you are using a non-LTS version, please upgrade to Quarkus 3.19.1 (or to the closest LTS version if you are using an old version).
We addressed the following CVEs:
-
CVE-2025-24970 - Upstream Netty (only for 3.15)
-
CVE-2025-1247 - Quarkus REST - Using field injection for request-scoped elements in REST resources not marked with the request scope could lead to concurrency issues.
-
CVE-2024-12225 (embargo will be lifted soon) - WebAuthn - The callback endpoint was enabled by default. It now requires to be explicitly configured.
-
CVE-2025-1634 (not published yet) - RESTEasy Classic - RESTEasy Classic endpoints may be affected by memory leaks. If you are exposing REST endpoints publicly using the
quarkus-resteasyextension, the update is highly recommended. Quarkus REST is NOT affected by this CVE.
参加のお誘い
私達は皆様からのフィードバックに重きを置いています。バグ報告、改善要望を是非お願いします。一緒に素晴らしいものを作り上げていきましょう!
Quarkusユーザーの場合でも、単に興味を持っているだけの場合でも、恥ずかしがらずにコミュニティに参加して下さい!:
-
GitHub でフィードバック
-
コードを作成し、 プルリクエスト を送信
-
Stack Overflow で質問
