CVE-2025-2240 is a high-severity vulnerability affecting the Smallrye Fault Tolerance component within the Red Hat Build of Apache Camel 4.8 for Quarkus 3.15, specifically versions 6.3.0 and 6.5.0. The flaw arises from improperly controlled sequential memory allocation when the metrics URI endpoint is invoked. Each request to this endpoint causes the creation of a new object within an internal data structure called meterMap. Because these objects are not properly managed or released, repeated calls lead to unbounded memory consumption, ultimately resulting in an out-of-memory (OOM) condition. This OOM state can cause the affected application to crash or become unresponsive, effectively causing a denial of service (DoS). The vulnerability is remotely exploitable without requiring authentication or user interaction, as the metrics URI is externally accessible. The CVSS v3.1 score of 7.5 reflects the high impact on availability, with no impact on confidentiality or integrity. Although no known exploits are currently reported in the wild, the ease of triggering the OOM condition via repeated requests makes this a significant risk, especially for publicly exposed services using the affected versions of Smallrye Fault Tolerance within Red Hat's Apache Camel for Quarkus. The vulnerability underscores the importance of proper resource management in microservice frameworks and fault tolerance libraries, particularly when exposing operational metrics endpoints that can be targeted for resource exhaustion attacks.

For European organizations deploying applications built on Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 with affected Smallrye Fault Tolerance versions, this vulnerability poses a substantial risk of service disruption. The denial of service caused by OOM conditions can lead to downtime of critical business applications, impacting availability of services such as financial transactions, supply chain management, or customer-facing portals. Organizations in sectors like finance, healthcare, telecommunications, and government, which rely heavily on resilient microservices architectures, may experience operational interruptions and potential financial losses. Additionally, the vulnerability could be exploited by attackers to degrade service quality or cause outages during peak usage, affecting reputation and compliance with European regulations on service availability and incident management. Since the flaw does not impact confidentiality or integrity, data breaches are unlikely; however, the availability impact alone can have cascading effects on business continuity and user trust.

Organizations should immediately identify deployments using affected versions (6.3.0 and 6.5.0) of Smallrye Fault Tolerance within Red Hat Build of Apache Camel 4.8 for Quarkus 3.15. Applying vendor-provided patches or updates as soon as they become available is critical. In the absence of patches, temporary mitigations include restricting access to the metrics URI endpoint through network controls such as firewalls or API gateways to limit exposure to trusted internal networks only. Implementing rate limiting or throttling on the metrics endpoint can reduce the risk of repeated calls causing OOM conditions. Monitoring application memory usage and setting up alerts for abnormal consumption patterns will help detect exploitation attempts early. Additionally, reviewing and optimizing the application’s memory management and garbage collection settings may mitigate impact. Finally, conducting thorough testing of the metrics endpoint under load can help identify and address resource exhaustion issues proactively.