The English version of is the official project site. Translated sites are community supported on a best-effort basis.

Quarkus 2.14.2.Final and 2.13.5.Final released - Fix for CVE-2022-4116

Today, we are announcing the release of Quarkus 2.14.2.Final and Quarkus 2.13.5.Final.

Both releases fix CVE-2022-4116 which has been rated as severity high.

This fix also hardens CORS handling, including changing 200 OK to 403 FORBIDDEN when a CORS request is rejected because of an invalid origin.

It is highly recommended to upgrade to these new versions:

  • 2.14.2.Final contains this fix and several others

  • 2.13.5.Final targets the 2.13 branch and contains this fix only

Users of the Red Hat Build of Quarkus should update to the latest 2.7.6.Final-redhat-00012.

About CVE-2022-4116

CVE-2022-4116 is a vulnerability in our Dev UI that could lead to remote code execution on the machine running the Dev UI, if you go to a carefully crafted webpage while the Dev UI is running.

While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box.

Joseph Beeton from Constrast Security explains the issue in detail in this blog post.


The easiest way to mitigate the issue is to upgrade to either 2.14.2.Final or 2.13.5.Final.

If you cannot upgrade right now, a possible workaround is to use a random path for the Quarkus Dev UI by moving all the non application endpoints to a random root:

%dev.quarkus.http.non-application-root-path=<your random string>

The Dev UI is then available at the following URL: http://localhost:8080/<your random string>/dev/.

Note that this also affects other non application endpoints such as the health endpoints (but only in dev mode as we use the dev profile).


We would like to thank Joseph Beeton from Contrast Security for reporting responsibly this security issue, and providing both an in depth analysis of the problem and a reproducer.