Quarkus HTTP Layer Worker Thread Starvation Vulnerability

A vulnerability in the Quarkus framework's HTTP layer for REST response handling can lead to worker thread starvation. When a response is being sent, the framework waits for all previously sent response chunks to be fully transmitted. If the client connection is dropped during this wait, the corresponding worker thread becomes permanently blocked and is not released. This blockage can accumulate, exhausting the available worker threads and causing degraded application performance or complete unavailability. This issue affects Quarkus versions prior to 3.30.6, 3.27.2, and 3.20.4, and has been patched in versions 3.31.0, 3.27.2, and 3.20.5.

Impact

Exploitation of this vulnerability can lead to permanent blocking of worker threads, causing degraded application performance or complete unavailability.

Remediation

For versions prior to the patched releases, it is recommended to implement a health check that monitors the status and saturation of the worker thread pool. This can help detect abnormal thread retention early, allowing operators to take corrective action before application responsiveness is affected.