Cyber Posture

CVE-2025-1634

High

Published: 26 February 2025

Published
26 February 2025
Modified
20 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0047 64.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1634 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the memory leak by requiring timely identification, reporting, and patching of the quarkus-resteasy flaw as specified in Red Hat errata.

SC-5 Denial-of-service Protection good match
preventdetect

Protects against denial-of-service from memory exhaustion by implementing mechanisms like rate limiting to thwart repeated short-timeout requests.

SC-6 Resource Availability good match
prevent

Ensures availability of critical resources such as memory against depletion caused by unreleased buffers in timed-out client requests.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Memory leak enables remote DoS via crafted low-timeout requests against public-facing Quarkus REST app (T1190) resulting in application exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application…

more

crash due to OutOfMemoryError.

Deeper analysisAI

CVE-2025-1634 is a memory leak vulnerability in the quarkus-resteasy extension. The flaw causes buffers to not be released correctly when client requests with low timeouts time out, resulting in progressively increased memory usage and eventual application crashes due to OutOfMemoryError. It is classified under CWE-401 (Memory Leak) and affects Quarkus applications utilizing the resteasy extension.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects. Remote attackers require only network access and can exploit it with low complexity, no privileges, and no user interaction by repeatedly sending requests with short timeouts, leading to denial-of-service through memory exhaustion.

Red Hat advisories provide mitigation via patches in multiple errata: RHSA-2025:12511, RHSA-2025:1884, RHSA-2025:1885, RHSA-2025:2067, and RHSA-2025:23417. Affected systems should be updated to the fixed versions specified in these security bulletins to prevent exploitation.

Details

CWE(s)
CWE-401

CVEs Like This One

CVE-2025-20239Shared CWE-401
CVE-2025-56353Shared CWE-401
CVE-2025-21091Shared CWE-401
CVE-2026-25969Shared CWE-401
CVE-2026-31711Shared CWE-401
CVE-2026-25988Shared CWE-401
CVE-2026-24828Shared CWE-401
CVE-2026-4247Shared CWE-401
CVE-2026-20105Shared CWE-401
CVE-2026-1605Shared CWE-401

References