6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49574

GHSA ID

GHSA-9623-mj7j-p9v4

EPSS Score

0.05525%

CWE

CWE-668

Published

6/23/2025

Updated

6/27/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49574

CVE-2025-49574: Quarkus potentially leaks data when duplicating a duplicated context

Impact

Vert.x 4.5.12 has changed the semantics of the duplication of duplicated context.

Duplicated context is an object used to propagate data through a processing (synchronous or asynchronous). Each "transaction" or "processing" runs on its own isolated duplicated context.

Initially, duplicating a duplicated context was creating a fresh (empty) new context, meaning that the new duplicated context can be used to managed a separated transaction.

In Vert.x 4.5.12, this semantics has changed, and since the content of the parent duplicated context is copied into the new one, potentially leaking data.

This CVE is especially for Quarkus as Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior.

A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places:

Quarkus REST Client when using OTel (but it's the same transaction, so no leak)
Quarkus Messaging connectors
Quarkus SmallRye Health (same transaction, so no leak)

Patches

After discussion with the Vert.x team, the change will be rolled back in Vert.x 4.x. A new API will be added to Vert.x 5 do distinguish the 2 cases.

Workarounds

When duplicating a duplicated context, the following code can be done to avoid the potential leak:

((ContextInternal) VertxContext.getRootContext(ctx)).duplicate()

This workaround would not be required once the Vert.x version containing the fix will be included. Note that the workaround would still work.

References

This issue have been reported in https://github.com/quarkusio/quarkus/issues/48227.

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-49574

GHSA ID

GHSA-9623-mj7j-p9v4

EPSS Score

0.05525%

CWE

CWE-668

Published

6/23/2025

Updated

6/27/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.quarkus:quarkus-vertx	maven	<= 3.15.5
io.quarkus:quarkus-vertx	maven	>= 3.16.0.CR1, <= 3.20.1
io.quarkus:quarkus-vertx	maven	>= 3.21.0.CR1, < 3.24.0	3.24.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists due to a change in the behavior of Vert.x's Context.duplicate() method in version 4.5.12. Previously, duplicating an already duplicated context would result in a new, empty context. The change caused it to inherit data from the parent context, leading to potential data leakage between different transactions in Quarkus applications, which rely heavily on this mechanism for context propagation, especially in reactive messaging.

The provided patch addresses the issue by upgrading the Vert.x dependency to version 4.5.16, where this semantic change was rolled back. Concurrently, the Quarkus code was updated to avoid relying on this implicit behavior.

The analysis of the commit 2b58f59f4bf0bae7d35b1abb585b65f2a66787d1 points to io.quarkus.smallrye.reactivemessaging.runtime.ContextualEmitterImpl.sendMessage as the key function. This function is part of the reactive messaging system and is responsible for propagating context when sending messages. The patch modifies this function to introduce a new helper method, createContextualMessage, which explicitly controls the duplication of the context and the copying of local data. This change ensures that even with the reverted (and now correct) behavior in Vert.x, the intended context propagation for the emitter works as expected without leaking unintended data from other transactions. The vulnerability is triggered when an application uses this emitter, as it would invoke the faulty context duplication logic in the vulnerable Vert.x versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t V*rt.x *.*.** **s ***n*** t** s*m*nti*s o* t** *upli**tion o* *upli**t** *ont*xt. *upli**t** *ont*xt is *n o*j**t us** to prop***t* **t* t*rou** * pro**ssin* (syn**ronous or *syn**ronous). **** "tr*ns**tion" or "pro**ssin*" runs on its o

Reasoning

T** vuln*r**ility *xists *u* to * ***n** in t** ****vior o* V*rt.x's `*ont*xt.*upli**t*()` m*t*o* in v*rsion *.*.**. Pr*viously, *upli**tin* *n *lr***y *upli**t** *ont*xt woul* r*sult in * n*w, *mpty *ont*xt. T** ***n** **us** it to in**rit **t* *rom

6.4

Basic Information

Concerned about an active attack path?

CVE-2025-49574: Quarkus potentially leaks data when duplicating a duplicated context

Impact

Patches

Workarounds

References

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI