Red Hat Apicurio Registry
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Apicurio Registry.
Recent Red Hat Apicurio Registry Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2024:7861 | (RHSA-2024:7861) Critical: Apicurio Registry (container images) release and security update [ 2.6.5 GA ] | October 9, 2024 |
By the Year
In 2025 there have been 2 vulnerabilities in Red Hat Apicurio Registry with an average score of 6.4 out of ten. Last year, in 2024 Apicurio Registry had 1 security vulnerability published. That is, 1 more vulnerability have already been reported in 2025 as compared to last year. Last year, the average CVE base score was greater by 0.65
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 2 | 6.35 |
| 2024 | 1 | 7.00 |
It may take a day or so for new Apicurio Registry vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Apicurio Registry Security Vulnerabilities
Operator SDK <0.15.2 RCE via insecure user_setup /etc/passwd
CVE-2025-7195
5.2 - Medium
- August 07, 2025
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Incorrect Default Permissions
Smallrye Fault Tolerance OOM DoS via /metrics URI
CVE-2025-2240
7.5 - High
- March 12, 2025
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
Stack Exhaustion
Quarkus Core Env Var Leakage in Build
CVE-2024-2700
7 - High
- April 04, 2024
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
Exposure of Sensitive Information Through Environmental Variables
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Apicurio Registry or by Red Hat? Click the Watch button to subscribe.
