CVE-2024-12397 — io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

How to fix CVE-2024-12397

To remediate CVE-2024-12397, upgrade the affected package to a fixed version below.

—upgrade to 5.3.4 or later

Is CVE-2024-12397 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.3.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-12397
PATCHgithub.com/quarkusio/quarkus-http
WEBaccess.redhat.com/errata/RHSA-2025:0900
WEBaccess.redhat.com/errata/RHSA-2025:1082
WEBaccess.redhat.com