CVE-2025-66560
Published: 07 January 2026
Summary
CVE-2025-66560 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Quarkus Quarkus. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-66560 is a denial-of-service vulnerability in the HTTP layer of Quarkus REST response handling within the Quarkus framework, a cloud-native, container-first Java application framework. In affected versions prior to 3.31.0, 3.27.2, and 3.20.5, the framework waits for previously written response chunks to be fully transmitted before proceeding with additional writes. If the client connection drops during this wait, the associated worker thread remains permanently blocked and unreleased. Repeated occurrences can exhaust the worker thread pool, resulting in degraded performance or complete application unavailability. The issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. By repeatedly initiating HTTP requests and dropping connections mid-response transmission, an attacker can trigger sustained worker thread blocking. This leads to progressive exhaustion of available threads, enabling a denial-of-service condition that impairs or halts application responsiveness.
The Quarkus security advisory addresses this with patches in versions 3.31.0, 3.27.2, and 3.20.5. As a workaround prior to patching, implement health checks to monitor worker thread pool status and saturation for early detection of abnormal thread retention. Additional details are available in the advisory at https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1178
Vulnerability details
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written,…
more
the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application. This issue has been patched in versions 3.31.0, 3.27.2, and 3.20.5. A workaround involves implementing a health check that monitors the status and saturation of the worker thread pool to detect abnormal thread retention early.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables application-level resource exhaustion (thread pool) via crafted HTTP requests, matching T1499.004 Application or System Exploitation for DoS impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires denial-of-service protections that limit resource exhaustion from unbounded thread blocking on dropped connections.
Mandates protection of resource availability to prevent thread-pool saturation caused by permanently blocked worker threads.
Enables monitoring of worker-thread-pool saturation to detect abnormal thread retention as described in the workaround.