CVE-2024-12225 is a critical security vulnerability identified in the Quarkus framework's quarkus-security-webauthn module, which handles Web Authentication (WebAuthn) for user registration and login via REST endpoints. Quarkus provides default REST endpoints for these operations but also allows developers to define custom endpoints tailored to their application needs. The vulnerability occurs when developers implement custom endpoints but fail to disable or restrict access to the default endpoints. Consequently, both sets of endpoints remain accessible simultaneously. An attacker can exploit this by interacting with the default endpoints to obtain a login cookie that either does not map to any user or, depending on the application's internal logic, maps to an existing user account unrelated to the attacker. This flaw enables an authentication bypass, allowing attackers to impersonate legitimate users simply by knowing their usernames, without requiring any authentication credentials or user interaction. The vulnerability has a CVSS v3.1 score of 9.1 (critical), reflecting its ease of exploitation (network vector, no privileges, no user interaction) and severe impact on confidentiality and integrity. While no known exploits are reported in the wild, the potential for unauthorized access and data compromise is significant. The root cause lies in the coexistence of default and custom endpoints without proper access control or endpoint disabling, leading to session management flaws and improper user association with authentication tokens.

For European organizations, this vulnerability poses a severe risk to the confidentiality and integrity of user accounts and sensitive data. Attackers can bypass authentication controls and gain unauthorized access to applications using the Quarkus WebAuthn module, potentially leading to data breaches, identity theft, and unauthorized transactions. Organizations relying on Quarkus for critical web applications, especially those handling personal data under GDPR, face regulatory and reputational damage if exploited. The vulnerability could facilitate lateral movement within networks if attackers gain access to privileged accounts. Additionally, sectors such as finance, healthcare, and government services in Europe, which often use modern Java frameworks like Quarkus, are particularly vulnerable. The ease of exploitation without any authentication or user interaction increases the likelihood of automated attacks targeting exposed endpoints. The lack of known exploits in the wild suggests the window for proactive mitigation is still open, but the critical severity demands immediate attention.

1. Immediately audit all Quarkus applications using the quarkus-security-webauthn module to identify if default REST endpoints are exposed alongside custom endpoints. 2. Disable or restrict access to the default WebAuthn REST endpoints when custom endpoints are implemented, ensuring only one set of endpoints is accessible. 3. Implement strict access controls and validation on all authentication endpoints to verify session tokens and user associations robustly. 4. Monitor application logs for unusual authentication activity, such as login attempts with valid usernames but unexpected session cookies. 5. Apply any official patches or updates from Quarkus or Red Hat addressing CVE-2024-12225 as soon as they become available. 6. Conduct thorough security testing, including penetration testing focused on authentication flows, to detect similar bypass issues. 7. Educate development teams on secure endpoint management and the risks of leaving default endpoints enabled. 8. Consider implementing Web Application Firewalls (WAF) rules to detect and block suspicious requests targeting default endpoints. 9. Review session management and cookie handling mechanisms to ensure strict binding between session tokens and authenticated users. 10. For critical applications, consider multi-factor authentication as an additional layer to mitigate unauthorized access risks.