Security News > 2022 > December > Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems.
"The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution," Contrast Security researcher Joseph Beeton, who reported the bug, said in a write-up.
Quarkus, developed by Red Hat, is an open source project that's used for creating Java applications in containerized and serverless environments.
It's worth pointing out that the issue only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payloads.
The problem identified by Contrast Security lies in the fact that the JavaScript code hosted on a malware-laced website can be weaponized to modify the Quarkus application configuration via an HTTP POST request to trigger code execution.
"While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box," Quarkus noted in an independent advisory.
News URL
http://thehackernews.com/2022/12/researchers-disclose-critical-rce.html
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- BlueToolkit: Open-source Bluetooth Classic vulnerability testing framework (source)
- Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457) (source)
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers (source)