{
  "threat_severity" : "Important",
  "public_date" : "2025-03-12T00:00:00Z",
  "bugzilla" : {
    "description" : "smallrye-fault-tolerance: SmallRye Fault Tolerance",
    "id" : "2351452",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2351452"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1325",
  "details" : [ "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.", "A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue." ],
  "statement" : "This vulnerability allows a remote attacker to cause an out-of-memory issue when calling the metrics URI, resulting in a denial of service. As this flaw can be triggered via the network, it has been rated with an important severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4.8.5 for Spring Boot",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3543",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.8.5",
    "package" : "io.smallrye/smallrye-fault-tolerance-core"
  }, {
    "product_name" : "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3541",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3.15",
    "package" : "com.redhat.quarkus.platform/quarkus-camel-bom"
  }, {
    "product_name" : "Red Hat Build of Apache Camel 4.8 for Quarkus 3.15",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3541",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3.15",
    "package" : "com.redhat.quarkus.platform/quarkus-cxf-bom"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.15.4",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3376",
    "cpe" : "cpe:/a:redhat:quarkus:3.15::el8",
    "package" : "io.smallrye/smallrye-fault-tolerance-core"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Affected",
    "package_name" : "io.smallrye/smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Affected",
    "package_name" : "io.smallrye/smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Not affected",
    "package_name" : "io.smallrye/smallrye-fault-tolerance-apiimpl",
    "cpe" : "cpe:/a:redhat:quarkus:3"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Out of support scope",
    "package_name" : "io.smallrye/smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Will not fix",
    "package_name" : "io.smallrye/smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Will not fix",
    "package_name" : "smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "smallrye-fault-tolerance-core",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-2240\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2240\nhttps://github.com/advisories/GHSA-gfh6-3pqw-x2j4" ],
  "name" : "CVE-2025-2240",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}