CVSS: 7.8EPSS: 0%CPEs: 25EXPL: 0CVE-2024-4027 – Undertow: outofmemoryerror in httpservletrequestimpl.getparameternames() can cause remote dos attacks
https://notcve.org/view.php?id=CVE-2024-4027
30 Jan 2026 — A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. • https://access.redhat.com/security/cve/CVE-2024-4027 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-14969 – Hibernate-reactive-core: hibernate reactive: denial of service due to connection leak on http client disconnect
https://notcve.org/view.php?id=CVE-2025-14969
26 Jan 2026 — A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. An update is now available for Red Hat build of Quarkus. Issues addressed include crlf injection and denial of service vulnerabilities. • https://access.redhat.com/security/cve/CVE-2025-14969 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 28EXPL: 0CVE-2024-3884 – Undertow: outofmemory when parsing form data encoding with application/x-www-form-urlencoded
https://notcve.org/view.php?id=CVE-2024-3884
03 Dec 2025 — A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack. A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0 for Red Hat Enterprise Linux 9. Red Hat Product Securi... • https://access.redhat.com/security/cve/CVE-2024-3884 • CWE-20: Improper Input Validation •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12225 – Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass
https://notcve.org/view.php?id=CVE-2024-12225
06 May 2025 — A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an ex... • https://access.redhat.com/security/cve/CVE-2024-12225 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-2240 – Smallrye-fault-tolerance: smallrye fault tolerance
https://notcve.org/view.php?id=CVE-2025-2240
12 Mar 2025 — A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. An update is now available for Red Hat build of Quarkus. • https://access.redhat.com/security/cve/CVE-2025-2240 • CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-1634 – Io.quarkus:quarkus-resteasy: memory leak in quarkus resteasy classic when client requests timeout
https://notcve.org/view.php?id=CVE-2025-1634
26 Feb 2025 — A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError. • https://access.redhat.com/security/cve/CVE-2025-1634 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-1247 – Io.quarkus:quarkus-rest: quarkus rest endpoint request parameter leakage due to shared instance
https://notcve.org/view.php?id=CVE-2025-1247
13 Feb 2025 — A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information. An update for Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 update is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stabilit... • https://access.redhat.com/security/cve/CVE-2025-1247 • CWE-488: Exposure of Data Element to Wrong Session •
CVSS: 7.4EPSS: 0%CPEs: 18EXPL: 0CVE-2024-12397 – Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
https://notcve.org/view.php?id=CVE-2024-12397
12 Dec 2024 — A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. Se encontró una falla en Quarkus-HTTP que analiza incorrectamente las cookies con ciertos caracteres que deli... • https://access.redhat.com/security/cve/CVE-2024-12397 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 0CVE-2023-6841 – Keycloak: amount of attributes per object is not limited and it may lead to dos
https://notcve.org/view.php?id=CVE-2023-6841
10 Sep 2024 — A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. • https://access.redhat.com/security/cve/CVE-2023-6841 • CWE-231: Improper Handling of Extra Values •
CVSS: 7.8EPSS: 10%CPEs: 24EXPL: 0CVE-2024-7885 – Undertow: improper state management in proxy protocol parsing causes information leakage
https://notcve.org/view.php?id=CVE-2024-7885
21 Aug 2024 — A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to uninte... • https://access.redhat.com/security/cve/CVE-2024-7885 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •