CVE-2020-25724: Unsynchronized Access to Shared Data in a Multithreaded Context in RESTEasy
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.33813%
CWE
Published
6/8/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jboss.resteasy:resteasy-bom | maven | <= 2.0-beta-1 | 2.0-beta-2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper synchronization in HTTP response handling. While no patch is available for analysis, the CWE-567 classification and advisory descriptions point to response object reuse issues. ClientResponse.getEntity()
is a prime candidate as it handles the deserialized response content. In vulnerable versions, concurrent access to this method without synchronization could allow response data from one thread to be exposed to another through shared ClientResponse
instances. This matches the described information disclosure impact and multithreaded context weakness.