CVE-2025-1247 is a high-severity vulnerability affecting Quarkus REST framework, specifically related to improper handling of request parameters in concurrent requests. The flaw arises when endpoints use field injection without specifying a Contexts and Dependency Injection (CDI) scope, leading to leakage of request parameters between sessions. This means that data intended for one user session can be inadvertently exposed to another, enabling attackers to manipulate request data, impersonate users, or access sensitive information. The vulnerability is exploitable remotely (network vector) with low attack complexity and requires some level of privileges (PR:L), but no user interaction is needed. The impact on confidentiality and integrity is high, while availability impact is low. The vulnerability affects all versions indicated as "0" in the affectedVersions field, which likely means initial or unspecified versions of Quarkus REST. No known exploits are currently reported in the wild, but the potential for serious data leakage and session hijacking makes this a critical issue for applications relying on Quarkus REST for handling concurrent REST requests without proper CDI scoping. The vulnerability was published on February 13, 2025, and is tracked under CVE-2025-1247 with a CVSS v3.1 score of 8.3, indicating a high threat level.

For European organizations, the impact of CVE-2025-1247 can be significant, especially for those relying on Quarkus REST in their web applications or microservices architectures. The leakage of request parameters between concurrent sessions can lead to unauthorized access to sensitive personal data, violating GDPR requirements and potentially resulting in regulatory fines and reputational damage. Attackers could impersonate legitimate users, leading to fraudulent transactions, data manipulation, or unauthorized actions within critical business systems. The integrity of data and user sessions is compromised, which can disrupt business operations and erode customer trust. Given the widespread adoption of Java frameworks like Quarkus in enterprise environments across Europe, this vulnerability poses a risk to sectors such as finance, healthcare, government, and e-commerce, where secure session management is paramount. The low availability impact suggests service disruption is less likely, but confidentiality and integrity breaches alone justify urgent remediation.

To mitigate CVE-2025-1247, organizations should immediately review their use of Quarkus REST endpoints to ensure that field injection is always accompanied by an appropriate CDI scope, such as @RequestScoped, to isolate request parameters per session. Developers must audit code for any injection points lacking explicit CDI scoping and refactor accordingly. Applying vendor patches or updates as soon as they become available is critical, even though no patch links are currently provided. In the interim, implementing strict input validation and session management controls can reduce exploitation risk. Additionally, monitoring application logs for anomalous concurrent request patterns may help detect exploitation attempts. Security teams should also conduct penetration testing focused on session management and parameter leakage. Finally, educating developers about secure dependency injection practices in Quarkus and enforcing secure coding standards will prevent recurrence of similar issues.