Is CVE-2024-12225 actively exploited?

CVE-2024-12225 has no public evidence of in-the-wild exploitation as of 2025-07-31.

What is the CVSS score for CVE-2024-12225?

CVE-2024-12225 has a CVSS score of 9.1 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

How do I patch CVE-2024-12225?

Patch guidance is available from quarkus security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2024-12225.

Fix CVE-2024-12225 - CRITICAL quarkus quarkus

Description

A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: none
Weaknesses: CWE-288

Metadata

Primary Vendor: QUARKUS
Published: 5/6/2025
Last Modified: 7/31/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2024-12225

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary