Quarkus Framework HTTP Response Handling Vulnerability Impacting Java Applications
CVE-2025-66560

5.9MEDIUM

Key Information:

Vendor: Quarkusio
Status: Quarkus
Vendor: CVE Published:; 7 January 2026

What is CVE-2025-66560?

A flaw exists in the HTTP layer of Quarkus, a framework for Java applications, that affects how response handling is performed. During the process of writing responses, the framework waits for previously sent response chunks to be fully transmitted. If the client connection is interrupted during this time, the associated worker thread is left in a blocked state indefinitely. This can lead to worker thread exhaustion under sustained load, causing performance degradation or even complete application unavailability. The issue has been resolved in later versions 3.31.0, 3.27.2, and 3.20.5. Users are advised to implement health check mechanisms to monitor worker thread pool status to mitigate risks associated with abnormal retention of threads.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

quarkus >= 3.30.0, < 3.31.0 < 3.30.0, 3.31.0

quarkus >= 3.21.0, < 3.27.2 < 3.21.0, 3.27.2

quarkus < 3.20.5 < 3.20.5

References

https://github.com/quarkusio/quarkus/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 7, 2026
Vulnerability Reserved
Dec 4, 2025

JSON

Quarkusio

What is CVE-2025-66560?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.