CVE-2025-1634 identifies a memory management flaw in the quarkus-resteasy extension, a component widely used in Java-based RESTful web services. The vulnerability manifests when client requests specify low timeout values and subsequently time out before completion. Under these conditions, an internal buffer allocated for handling the request is not properly released, causing a memory leak. Over time, repeated triggering of this condition leads to increased memory consumption within the application process, culminating in an OutOfMemoryError and application crash. The vulnerability does not compromise data confidentiality or integrity but directly impacts service availability. The CVSS v3.1 score of 7.5 (high) reflects the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope remains unchanged as the vulnerability affects only the vulnerable component. Although no public exploits have been reported, the flaw can be exploited remotely by sending crafted requests with low timeout values, making it a significant risk for production environments. The affected versions are not explicitly detailed but are implied to be early or default versions of the quarkus-resteasy extension. The issue was reserved and published in February 2025, with no patch links currently available, indicating that remediation may be forthcoming. Organizations relying on quarkus-resteasy for their microservices should prioritize monitoring and mitigation to prevent service disruptions.

For European organizations, the primary impact of CVE-2025-1634 is on service availability. Applications using the quarkus-resteasy extension that handle client requests with low timeout settings are vulnerable to memory leaks leading to crashes. This can result in denial of service conditions, affecting critical business applications, customer-facing APIs, and internal services. Industries with high transaction volumes or real-time processing requirements, such as finance, telecommunications, and e-commerce, may experience significant operational disruptions. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not diminish the operational risk posed by service outages. Additionally, the vulnerability could be exploited as part of a denial-of-service attack vector by malicious actors targeting European infrastructure. Organizations with limited capacity for rapid incident response or those running legacy versions of quarkus-resteasy are particularly at risk. The absence of known exploits in the wild currently lowers immediate threat levels but does not preclude future exploitation attempts.

1. Monitor application memory usage closely, especially for services using quarkus-resteasy with low client timeout settings, to detect abnormal increases indicative of memory leaks. 2. Adjust client request timeout configurations to avoid extremely low values that trigger the vulnerability until patches are available. 3. Implement robust application-level circuit breakers and request throttling to limit the impact of repeated timeout-triggered leaks. 4. Stay informed about official patches or updates from the quarkus project and apply them promptly once released. 5. Conduct thorough testing in staging environments to validate memory behavior under various timeout scenarios. 6. Consider deploying runtime memory monitoring tools and alerting mechanisms to detect early signs of OutOfMemoryError conditions. 7. If feasible, isolate vulnerable services behind load balancers or proxies that can absorb or mitigate malformed or timeout-prone requests. 8. Review and update incident response plans to include scenarios involving memory exhaustion and service crashes related to this vulnerability. 9. Engage with software vendors or open-source communities for early access to fixes or workarounds. 10. Document and communicate the risk internally to development and operations teams to ensure coordinated mitigation efforts.