CVE-2025-1634 identifies a memory management flaw in the quarkus-resteasy extension, a component widely used in Java microservices frameworks for RESTful web services. The vulnerability arises when client requests with low timeout settings cause the server to prematurely terminate processing. In such cases, an internal buffer allocated for handling the request is not released correctly, resulting in a memory leak. Over time, repeated occurrences of these timed-out requests cause the application’s memory usage to grow uncontrollably, eventually triggering an OutOfMemoryError and crashing the application. The vulnerability is remotely exploitable without authentication or user interaction, as it is triggered simply by sending requests with low timeout values. The CVSS v3.1 score of 7.5 reflects a high severity primarily due to the impact on availability (denial of service) rather than confidentiality or integrity. Although no exploits are currently known in the wild, the flaw poses a significant risk to service stability, especially in environments with high traffic and aggressive timeout policies. The affected versions are not explicitly detailed but presumably include early or unpatched releases of the quarkus-resteasy extension. The issue was publicly disclosed in February 2025, with no immediate patch links available, indicating a need for vigilance and proactive mitigation by affected parties.

For European organizations, the primary impact of CVE-2025-1634 is on service availability. Applications using quarkus-resteasy that handle numerous client requests with low timeout configurations may experience progressive memory leaks leading to application crashes. This can cause denial of service, disrupting business operations, customer-facing services, and internal processes dependent on these applications. Industries relying heavily on Java microservices architectures, such as finance, telecommunications, and e-government services, could face operational outages and reputational damage. The lack of confidentiality or integrity impact reduces the risk of data breaches, but the availability disruption alone can have severe financial and regulatory consequences under frameworks like GDPR. Additionally, recovery from crashes may require manual intervention or automated restarts, increasing operational overhead. The vulnerability’s remote exploitability without authentication means attackers or even benign clients can inadvertently trigger outages, complicating incident response and mitigation efforts.

European organizations should prioritize updating the quarkus-resteasy extension to patched versions as soon as they become available from the vendor or community. In the interim, they should implement strict monitoring of application memory usage and configure alerting for abnormal increases. Adjusting client request timeout settings to avoid excessively low values can reduce the likelihood of triggering the leak. Employing circuit breakers or rate limiting on incoming requests may help mitigate the risk of rapid memory exhaustion. Application-level logging should be enhanced to detect and diagnose timeout-related events. Organizations should also consider deploying application performance management (APM) tools that can trace memory allocation and release patterns. In containerized or orchestrated environments, automated restarts upon memory threshold breaches can reduce downtime. Finally, conducting thorough testing of applications under load with various timeout scenarios will help identify and address this vulnerability proactively.