CVE-2024-12225: 
Quarkus vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-12225) was discovered in the Quarkus security-webauthn module. The vulnerability was reported on May 6, 2025, and affects the WebAuthn functionality that handles user authentication. This security flaw exists in the default REST endpoints for user registration and login processes, which remain accessible even when custom endpoints are implemented (NVD, Red Hat CVE).

The vulnerability stems from the Quarkus WebAuthn module's handling of REST endpoints. When developers implement custom endpoints for login and registration, the default endpoints remain accessible and partially functional. The issue is classified as an Authentication Bypass Using an Alternate Path (CWE-288). The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high severity with network accessibility and no required privileges or user interaction (NVD).

The vulnerability allows attackers to obtain a login cookie that either has no corresponding user in the Quarkus application or could correspond to an existing user unrelated to the attacker. This enables unauthorized access by allowing anyone to log in as an existing user by merely knowing the username. The SecurityIdentity obtained through this exploit typically has no roles by default, but depending on the application's implementation, it could gain additional privileges if the user exists in the system (Red Hat Bugzilla).