CVE-2025-2240 identifies a vulnerability in the smallrye-fault-tolerance library used within Red Hat Build of Apache Camel 4.8 for Quarkus 3.15, affecting versions 6.3.0 and 6.5.0. The root cause is an improperly controlled sequential memory allocation triggered by external calls to the metrics URI endpoint. Each invocation of this URI results in the creation of a new object within the internal meterMap data structure without proper limits or cleanup, causing memory consumption to grow unbounded. Over time or under high request volumes, this leads to an out-of-memory (OOM) condition, which can crash or severely degrade the affected application, resulting in a denial of service (DoS). The vulnerability does not impact confidentiality or integrity but severely affects availability. It is remotely exploitable without authentication or user interaction, with low attack complexity, making it accessible to attackers who can send repeated requests to the metrics endpoint. The absence of known exploits in the wild suggests it is newly discovered, but the potential for automated exploitation exists given the nature of the flaw. The vulnerability was published on March 12, 2025, and is tracked under CVE-2025-2240 with a CVSS v3.1 score of 7.5 (high severity).

The primary impact of CVE-2025-2240 is denial of service due to out-of-memory conditions triggered by repeated access to the metrics URI. Organizations running affected versions of Red Hat Build of Apache Camel for Quarkus may experience service outages or degraded performance, impacting business continuity and availability of critical applications. This can disrupt internal operations, customer-facing services, and automated workflows relying on these components. Since the vulnerability is remotely exploitable without authentication, attackers can easily target exposed endpoints to cause service disruptions. This risk is heightened in cloud environments, microservices architectures, and containerized deployments where Apache Camel and Quarkus are commonly used. The lack of impact on confidentiality or integrity limits data breach concerns, but the availability impact alone can result in significant operational and reputational damage. Additionally, the vulnerability could be leveraged as part of a larger attack chain to distract or exhaust resources during multi-vector attacks.

To mitigate CVE-2025-2240, organizations should promptly upgrade to patched versions of Red Hat Build of Apache Camel for Quarkus once available. In the absence of immediate patches, implement network-level controls to restrict access to the metrics URI endpoint, such as IP whitelisting, firewall rules, or API gateway filtering. Rate limiting and throttling requests to the metrics endpoint can reduce the risk of memory exhaustion. Monitoring memory usage and application logs for unusual spikes related to meterMap growth can provide early detection of exploitation attempts. Consider disabling or restricting the metrics endpoint if it is not essential for operations. Additionally, conduct thorough testing of fault-tolerance and metrics components in staging environments to identify abnormal resource consumption. Collaborate with Red Hat support and subscribe to security advisories for updates. Finally, incorporate this vulnerability into incident response plans to quickly address potential DoS incidents.