CVE-2025-49574: 
Java vulnerability analysis and mitigation

CVE-2025-49574 affects Quarkus, a Cloud Native (Linux) Container First framework for writing Java applications. The vulnerability was discovered and disclosed on June 23, 2025, impacting versions prior to 3.24.0. The issue involves a potential data leak when duplicating a duplicated context in Quarkus's implementation of Vert.x duplicated context for context propagation (GitHub Advisory, NVD).

The vulnerability stems from a change in Vert.x 4.5.12's semantics regarding the duplication of duplicated contexts. Initially, duplicating a duplicated context would create a fresh empty context, but the new semantic copies the content of the parent duplicated context into the new one. This affects Quarkus's extensive use of Vert.x duplicated context for context propagation. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with vector string CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (GitHub Advisory).

The vulnerability can cause data leakage between transactions, potentially exposing sensitive information. The duplicated context contains significant data including request scope, security details, and metadata. This affects several components including Quarkus REST Client with OTel, Quarkus Messaging connectors, and Quarkus SmallRye Health, though some cases operate within the same transaction and thus avoid leakage (GitHub Advisory).

A temporary workaround has been provided: when duplicating a duplicated context, users can implement ((ContextInternal) VertxContext.getRootContext(ctx)).duplicate(). The issue has been patched in Quarkus version 3.24.0. Additionally, after discussions with the Vert.x team, the behavior change will be rolled back in Vert.x 4.x, and a new API will be introduced in Vert.x 5 to distinguish between the two cases (GitHub Advisory).