CVE-2025-1247

High

Published: 13 February 2025

Published

13 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0005 15.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1247 is a high-severity Exposure of Data Element to Wrong Session (CWE-488) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-4 (Information in Shared System Resources).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the Quarkus REST flaw causing request parameter leakage between concurrent requests by applying vendor patches such as those in Red Hat advisories RHSA-2025:1884.

SC-4 Information in Shared System Resources good match

prevent

Prevents unauthorized information transfer via shared system resources, directly addressing leakage of request parameters through unscoped field injection in concurrent requests.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings in Quarkus applications to require CDI scopes for field injection or use method injection, eliminating the vulnerable condition.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote exploitation of a public-facing Quarkus REST application component enabling request data leakage, manipulation, and impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

Deeper analysisAI

CVE-2025-1247, published on 2025-02-13, is a vulnerability in the Quarkus REST component that enables request parameters to leak between concurrent requests when endpoints employ field injection without a CDI scope. This flaw affects Quarkus applications using such configurations. It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) and maps to CWE-488.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation permits manipulation of request data, user impersonation, or access to sensitive information, resulting in high confidentiality and integrity impacts alongside low availability impact.

Red Hat advisories, including errata RHSA-2025:1884, RHSA-2025:1885, and RHSA-2025:2067, address the issue with patches and updates. Further details on the vulnerability and mitigations are provided on the Red Hat security page for CVE-2025-1247 and Bugzilla entry 2345172.

Details

CWE(s): CWE-488

CVEs Like This One

CVE-2025-30073Shared CWE-488

CVE-2026-34391Shared CWE-488

CVE-2025-15576Shared CWE-488

CVE-2023-1907Shared CWE-488

References

https://access.redhat.com/errata/RHSA-2025:1884
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:1885
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:2067
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-1247
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2345172
secalert@redhat.com
https://github.com/quarkusio/quarkus/issues/45789
secalert@redhat.com