We identified that the current version of Red Hat Build of Quarkus (3.27.0.redhat-00002) in use is affected by the vulnerability CVE-2025-55163, which impacts the library:

io.netty:netty-codec-http2

This vulnerability may expose applications to potential Denial of Service (DoS) or other security risks when handling HTTP/2 traffic under specific conditions.

The issue has been fixed upstream in recent versions of Netty, but the fix is not yet included in the current supported Quarkus distribution.

Environment Details

• Product: Red Hat Build of Quarkus

• Version: [3.27.0.redhat-00002]

• Affected component: io.netty:netty-codec-http2

• CVE: CVE-2025-55163

• Fixed upstream version: [4.2.4.Final, 4.1.124.Final]

Business Impact

The presence of this CVE affects the security compliance posture of our Quarkus-based services.

We must ensure that our environments remain free from known vulnerabilities in order to comply with internal security policies and vulnerability management requirements.

Request

We kindly request the release of a Service Pack or patch update for the Red Hat Build of Quarkus that includes the updated Netty dependency addressing CVE-2025-55163.

References

• CVE details: https://nvd.nist.gov/vuln/detail/CVE-2025-55163, https://access.redhat.com/security/cve/cve-2025-55163

• Upstream dependency: io.netty:netty-codec-http2

• Upstream Quarkus repository: https://github.com/quarkusio/quarkus

report.html