CVE-2025-66560 is a resource exhaustion vulnerability classified under CWE-770, affecting the Quarkus framework's HTTP response handling in versions prior to 3.31.0, 3.27.2, and 3.20.5. Quarkus is widely used for building cloud-native Java applications, often deployed in Linux container environments. The vulnerability occurs because when Quarkus writes HTTP responses, it waits for previously sent response chunks to be fully transmitted before proceeding. If a client connection drops during this wait, the worker thread handling that response does not get released and remains blocked indefinitely. Over time, repeated or sustained dropped connections can exhaust the pool of available worker threads. This exhaustion leads to degraded application performance or complete denial of service, as no threads remain to handle new requests. The vulnerability does not affect confidentiality or integrity but severely impacts availability. Exploitation is remote and unauthenticated but requires high attack complexity due to the need to repeatedly cause connection drops. The issue has been patched in Quarkus versions 3.31.0, 3.27.2, and 3.20.5. As a mitigation, implementing health checks that monitor the worker thread pool status can help detect abnormal thread retention early, allowing proactive response before service degradation occurs. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a significant risk to the availability of applications built on the Quarkus framework, especially those deployed in cloud-native or containerized environments. Organizations relying on affected versions may experience degraded performance or complete outages if attackers or network conditions cause repeated client connection drops. This can disrupt critical business services, impact customer experience, and potentially lead to financial losses or reputational damage. The vulnerability does not compromise data confidentiality or integrity, but the denial of service impact can affect sectors with high availability requirements such as finance, healthcare, and public services. Given the growing adoption of Quarkus in Europe’s software development ecosystem, particularly in Germany, France, and the UK, the threat is relevant to a broad range of enterprises and public sector organizations. The lack of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as attackers may develop techniques to trigger connection drops at scale.

1. Upgrade all Quarkus deployments to versions 3.31.0, 3.27.2, or 3.20.5 or later where the vulnerability is patched. 2. Implement health checks that monitor the worker thread pool saturation and thread retention metrics to detect abnormal conditions early. 3. Configure application and infrastructure-level timeouts to minimize the duration worker threads remain blocked on dropped connections. 4. Employ network-level protections such as rate limiting and connection management to reduce the likelihood of sustained connection drops caused by malicious or unstable clients. 5. Use container orchestration health probes (e.g., Kubernetes readiness and liveness probes) to automatically restart unhealthy application instances exhibiting thread pool exhaustion. 6. Monitor application logs and metrics for signs of thread starvation or increased latency in response handling. 7. Educate development and operations teams about this vulnerability to ensure timely patching and monitoring. 8. Consider deploying Web Application Firewalls (WAFs) or API gateways that can help detect and mitigate abnormal client connection behaviors.