CVE-2025-49574 reported for quarkus-messaging & quarkus-vertx-http #48969
Description
Describe the bug
A security which was fixed here - https://github.com/quarkusio/quarkus/issues/48227 has now also been reported for the packages of quarkus-messaging and quarkus-vertx-http
Expected behavior
No CVEs identified in the modules
Actual behavior
CI pipeline breaks because of the reported vulnerability. This is being reported in Nexus-IQ (Sonatype) with the following message
Explanation
The Quarkus components listed below are vulnerable to Exposure of Resource to Wrong Sphere. The methods and classes listed below potentially leak data when duplicating a duplicated context. Duplicated contexts can include a significant amount of data, including request scope, security details, and metadata, which can violate confidentiality.
Advisory Deviation Notice:
The Sonatype Security Research team discovered that the vulnerable classes associated with this vulnerability primarily reside in components, io.quarkus:quarkus-messaging and io.quarkus:quarkus-vertx-http as opposed to io.quarkus:quarkus-vertx listed in the advisory. For accuracy, Vert.x components (such as io.quarkus:quarkus-vertx) and other third-party components will only flag this CVE if the aforementioned primary vulnerable components/associated classes are being pulled into the build (for example, as dependencies) and not otherwise. Consequently, the vulnerable version ranges flagged for these components may be different from what the advisory state and that is the expected behavior.
How to Reproduce?
No response
Output of uname -a or ver
No response
Output of java -version
No response
Quarkus version or git rev
No response
Build tool (ie. output of mvnw --version or gradlew --version)
No response
Additional information
No response