CVE-2025-1247 identifies a critical vulnerability in the Quarkus REST framework, specifically related to how request parameters are handled in concurrent requests when endpoints use field injection without specifying a Contexts and Dependency Injection (CDI) scope. Quarkus REST is a popular Java framework for building cloud-native microservices. The flaw allows data from one user's request to leak into another user's session due to improper isolation of request-scoped data. This occurs because field injection without a CDI scope causes shared state across concurrent requests, violating session boundaries. Attackers with limited privileges can exploit this to manipulate request parameters, impersonate other users, or access sensitive information belonging to other sessions. The vulnerability has a CVSS v3.1 score of 8.3, reflecting high impact on confidentiality and integrity, with low attack complexity and no user interaction required. Although no public exploits are currently known, the vulnerability poses a significant risk to applications relying on affected Quarkus REST versions. The root cause lies in the misuse of dependency injection patterns and insufficient session management in the framework's request handling. Mitigation requires developers to avoid field injection without CDI scopes and to update to patched versions once available.

The impact of CVE-2025-1247 is substantial for organizations using Quarkus REST in their Java microservices architectures. Exploitation can lead to unauthorized data disclosure, allowing attackers to access sensitive information from other users' sessions. This compromises confidentiality and can also affect integrity by enabling attackers to manipulate request data or impersonate legitimate users. Such breaches can result in data leaks, unauthorized transactions, and loss of user trust. The vulnerability's ease of exploitation (low complexity, no user interaction) increases the risk of automated attacks in multi-tenant or high-concurrency environments. Additionally, the flaw could facilitate lateral movement within compromised environments if attackers leverage session data to escalate privileges. The availability impact is low but the confidentiality and integrity risks are high, making this a critical concern for cloud-native applications, financial services, healthcare, and any sector handling sensitive user data. Organizations may face regulatory penalties and reputational damage if exploited.

To mitigate CVE-2025-1247, organizations should immediately review their use of Quarkus REST endpoints to ensure that field injection is not used without an appropriate CDI scope, such as @RequestScoped. Developers should refactor code to use constructor or method injection with proper scoping to guarantee request isolation. Applying the latest patches or updates from the Quarkus project as soon as they become available is critical. In the interim, implementing strict input validation and monitoring for anomalous request patterns can help detect exploitation attempts. Additionally, deploying Web Application Firewalls (WAFs) with rules tailored to detect unusual session behavior may provide a layer of defense. Conducting thorough code reviews and security testing focused on dependency injection usage and session management will reduce risk. Organizations should also educate developers on secure CDI practices and consider isolating critical services to limit the blast radius of potential exploits.