CVE-2025-1247 is a vulnerability identified in the Quarkus REST framework, a popular Java framework for building cloud-native microservices. The flaw occurs when REST endpoints use field injection without specifying a CDI (Contexts and Dependency Injection) scope, which is critical for managing the lifecycle of injected fields. In such cases, request parameters from one HTTP request can inadvertently leak into another concurrent request due to improper isolation of request-scoped data. This leakage happens because the framework fails to correctly segregate data between sessions when field injection is used without a defined scope, causing data elements to be exposed to the wrong session. An attacker with network access and low privileges can exploit this to manipulate request parameters, impersonate other users, or access sensitive information belonging to other sessions. The vulnerability affects all versions of Quarkus REST prior to the fix and has a CVSS v3.1 score of 8.3, indicating high severity. The attack vector is network-based with low attack complexity, requiring no user interaction, and impacts confidentiality and integrity significantly, with a limited impact on availability. No known exploits have been reported in the wild yet, but the flaw poses a serious risk in multi-tenant or concurrent request environments typical in microservices architectures.

The vulnerability can lead to unauthorized data disclosure and session impersonation, severely impacting confidentiality and integrity of applications using Quarkus REST. Attackers can manipulate request data to gain unauthorized access or perform actions on behalf of other users, potentially leading to data breaches, privilege escalation, and loss of trust. Organizations relying on Quarkus for critical microservices, especially those handling sensitive or regulated data, face increased risk of compliance violations and reputational damage. The concurrency aspect means that high-traffic services are particularly vulnerable, as simultaneous requests increase the likelihood of data leakage. Although availability impact is low, the breach of sensitive data and user impersonation can have cascading effects on business operations and customer trust worldwide.

To mitigate this vulnerability, developers should avoid using field injection in Quarkus REST endpoints without explicitly defining a CDI scope that ensures proper request isolation, such as @RequestScoped. Refactoring code to use method injection or constructor injection with appropriate scoping can prevent data leakage. Applying the latest Quarkus patches and updates as soon as they become available is critical. Additionally, implementing strict input validation and monitoring for anomalous request patterns can help detect exploitation attempts. Organizations should conduct code audits to identify unsafe injection patterns and review concurrency handling in REST endpoints. Employing runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect unusual session behavior may provide additional defense layers until patches are applied.