CVE-2025-2240: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2025-2240) was discovered in Smallrye's fault-tolerance component, specifically affecting the smallrye-fault-tolerance module. The vulnerability was disclosed on March 12, 2025, and affects multiple Red Hat products including Red Hat JBoss Enterprise Application Platform, Red Hat Fuse, and Red Hat build of Quarkus. This security flaw is related to an out-of-memory (OOM) issue that can be externally triggered (NVD, GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The technical issue stems from improper memory management where calling the metrics URI creates a new object within meterMap without proper cleanup. The vulnerability is categorized under CWE-1325 (Improperly Controlled Sequential Memory Allocation) (GitHub Advisory, NVD).

The vulnerability can lead to a denial of service (DoS) condition through resource exhaustion. When exploited, the continuous creation of new objects within meterMap without proper cleanup can cause the application to run out of memory, potentially making the service unavailable (Red Hat Bugzilla, NVD).

Fixed versions have been released: 6.4.2 and 6.9.0 of the smallrye-fault-tolerance-core package. Organizations using affected versions (>= 6.3.0, < 6.4.2 or >= 6.5.0, < 6.9.0) should upgrade to the patched versions (GitHub Advisory).