GHSA-9623-mj7j-p9v4

Suggest an improvement
Source
https://github.com/advisories/GHSA-9623-mj7j-p9v4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-9623-mj7j-p9v4/GHSA-9623-mj7j-p9v4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9623-mj7j-p9v4
Aliases
Published
2025-06-23T18:53:22Z
Modified
2025-06-27T23:34:41.406463Z
Downstream
Severity
  • 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Quarkus potentially leaks data when duplicating a duplicated context
Details

Impact

Vert.x 4.5.12 has changed the semantics of the duplication of duplicated context.

Duplicated context is an object used to propagate data through a processing (synchronous or asynchronous). Each "transaction" or "processing" runs on its own isolated duplicated context.

Initially, duplicating a duplicated context was creating a fresh (empty) new context, meaning that the new duplicated context can be used to managed a separated transaction.

In Vert.x 4.5.12, this semantics has changed, and since the content of the parent duplicated context is copied into the new one, potentially leaking data.

This CVE is especially for Quarkus as Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior.

A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places:

  • Quarkus REST Client when using OTel (but it's the same transaction, so no leak)
  • Quarkus Messaging connectors
  • Quarkus SmallRye Health (same transaction, so no leak)

Patches

After discussion with the Vert.x team, the change will be rolled back in Vert.x 4.x. A new API will be added to Vert.x 5 do distinguish the 2 cases.

Workarounds

When duplicating a duplicated context, the following code can be done to avoid the potential leak:

((ContextInternal) VertxContext.getRootContext(ctx)).duplicate()

This workaround would not be required once the Vert.x version containing the fix will be included. Note that the workaround would still work.

References

This issue have been reported in https://github.com/quarkusio/quarkus/issues/48227.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2025-06-23T20:15:28Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-668"
    ],
    "github_reviewed_at": "2025-06-23T18:53:22Z"
}
References

Affected packages

Maven / io.quarkus:quarkus-vertx

Package

Name
io.quarkus:quarkus-vertx
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.15.5

Affected versions

0.*

0.11.0
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.14.0
0.15.0
0.16.0
0.16.1
0.17.0
0.18.0
0.19.0
0.19.1
0.20.0
0.21.0
0.21.1
0.21.2
0.22.0
0.23.0
0.23.1
0.23.2
0.24.0
0.25.0
0.26.0
0.26.1
0.27.0
0.28.0
0.28.1

1.*

1.0.0.CR1
1.0.0.CR2
1.0.0.Final
1.0.1.Final
1.1.0.CR1
1.1.0.Final
1.1.1.Final
1.2.0.CR1
1.2.0.Final
1.2.1.Final
1.3.0.Alpha1
1.3.0.Alpha2
1.3.0.CR1
1.3.0.CR2
1.3.0.Final
1.3.1.Final
1.3.2.Final
1.3.3.Final
1.3.4.Final
1.4.0.CR1
1.4.0.Final
1.4.1.Final
1.4.2.Final
1.5.0.CR1
1.5.0.Final
1.5.1.Final
1.5.2.Final
1.6.0.CR1
1.6.0.Final
1.6.1.Final
1.7.0.CR1
1.7.0.CR2
1.7.0.Final
1.7.1.Final
1.7.2.Final
1.7.3.Final
1.7.4.Final
1.7.5.Final
1.7.6.Final
1.8.0.CR1
1.8.0.Final
1.8.1.Final
1.8.2.Final
1.8.3.Final
1.9.0.CR1
1.9.0.Final
1.9.1.Final
1.9.2.Final
1.10.0.CR1
1.10.0.Final
1.10.1.Final
1.10.2.Final
1.10.3.Final
1.10.4.Final
1.10.5.Final
1.11.0.Beta1
1.11.0.Beta2
1.11.0.CR1
1.11.0.Final
1.11.1.Final
1.11.2.Final
1.11.3.Final
1.11.4.Final
1.11.5.Final
1.11.6.Final
1.11.7.Final
1.12.0.CR1
1.12.0.Final
1.12.1.Final
1.12.2.Final
1.13.0.CR1
1.13.0.Final
1.13.1.Final
1.13.2.Final
1.13.3.Final
1.13.4.Final
1.13.5.Final
1.13.6.Final
1.13.7.Final

2.*

2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.CR1
2.0.0.CR2
2.0.0.CR3
2.0.0.Final
2.0.1.Final
2.0.2.Final
2.0.3.Final
2.1.0.CR1
2.1.0.Final
2.1.1.Final
2.1.2.Final
2.1.3.Final
2.1.4.Final
2.2.0.CR1
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.3.0.CR1
2.3.0.Final
2.3.1.Final
2.4.0.CR1
2.4.0.Final
2.4.1.Final
2.4.2.Final
2.5.0.CR1
2.5.0.Final
2.5.1.Final
2.5.2.Final
2.5.3.Final
2.5.4.Final
2.6.0.CR1
2.6.0.Final
2.6.1.Final
2.6.2.Final
2.6.3.Final
2.7.0.CR1
2.7.0.Final
2.7.1.Final
2.7.2.Final
2.7.3.Final
2.7.4.Final
2.7.5.Final
2.7.6.Final
2.7.7.Final
2.8.0.CR1
2.8.0.Final
2.8.1.Final
2.8.2.Final
2.8.3.Final
2.9.0.CR1
2.9.0.Final
2.9.1.Final
2.9.2.Final
2.10.0.CR1
2.10.0.Final
2.10.1.Final
2.10.2.Final
2.10.3.Final
2.10.4.Final
2.11.0.CR1
2.11.0.Final
2.11.1.Final
2.11.2.Final
2.11.3.Final
2.12.0.CR1
2.12.0.Final
2.12.1.Final
2.12.2.Final
2.12.3.Final
2.13.0.CR1
2.13.0.Final
2.13.1.Final
2.13.2.Final
2.13.3.Final
2.13.4.Final
2.13.5.Final
2.13.6.Final
2.13.7.Final
2.13.8.Final
2.13.9.Final
2.14.0.CR1
2.14.0.Final
2.14.1.Final
2.14.2.Final
2.14.3.Final
2.15.0.CR1
2.15.0.Final
2.15.1.Final
2.15.2.Final
2.15.3.Final
2.16.0.CR1
2.16.0.Final
2.16.1.Final
2.16.2.Final
2.16.3.Final
2.16.4.Final
2.16.5.Final
2.16.6.Final
2.16.7.Final
2.16.8.Final
2.16.9.Final
2.16.10.Final
2.16.11.Final
2.16.12.Final

3.*

3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Beta1
3.0.0.CR1
3.0.0.CR2
3.0.0.Final
3.0.1.Final
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.1.0.CR1
3.1.0.Final
3.1.1.Final
3.1.2.Final
3.1.3.Final
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.2.2.Final
3.2.3.Final
3.2.4.Final
3.2.5.Final
3.2.6.Final
3.2.7.Final
3.2.8.Final
3.2.9.Final
3.2.10.Final
3.2.11.Final
3.2.12.Final
3.3.0.CR1
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0.CR1
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0.CR1
3.5.0
3.5.1
3.5.2
3.5.3
3.6.0.CR1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.7.0.CR1
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0.CR1
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.6.1
3.9.0.CR1
3.9.0.CR2
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.10.0.CR1
3.10.0
3.10.1
3.10.2
3.11.0.CR1
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0.CR1
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0.CR1
3.13.0
3.13.1
3.13.2
3.13.3
3.14.0.CR1
3.14.0
3.14.1
3.14.2
3.14.3
3.14.4
3.15.0.CR1
3.15.0
3.15.1
3.15.2
3.15.3
3.15.3.1
3.15.4
3.15.5

Maven / io.quarkus:quarkus-vertx

Package

Name
io.quarkus:quarkus-vertx
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.16.0.CR1
Last affected
3.20.1

Affected versions

3.*

3.16.0.CR1
3.16.0
3.16.1
3.16.2
3.16.3
3.16.4
3.17.0.CR1
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.17.6
3.17.7
3.17.8
3.18.0.CR1
3.18.0
3.18.1
3.18.2
3.18.3
3.18.4
3.19.0.CR1
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.20.0.CR1
3.20.0
3.20.1

Maven / io.quarkus:quarkus-vertx

Package

Name
io.quarkus:quarkus-vertx
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.21.0.CR1
Fixed
3.24.0

Affected versions

3.*

3.21.0.CR1
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.22.0.CR1
3.22.0
3.22.1
3.22.2
3.22.3
3.23.0.CR1
3.23.0