Hibernate Reactive, DoS via Connection Pool Exhaustion, Moderate Severity

Listen to this Post

The vulnerability in Hibernate Reactive stems from inadequate handling of database connection lifecycle during premature HTTP connection closures. When an HTTP endpoint exposes database operations, remote clients can abort connections before responses complete. In reactive programming, database interactions are asynchronous, with connections borrowed from a pool. Upon early client disconnection, the reactive chain cancellation may not propagate properly to the connection pool manager. This results in acquired database connections not being released back to the pool, causing leaks. Over time, repeated malicious requests exhaust all available connections in the pool. Once exhausted, new database operations fail, leading to Denial of Service. The issue is specific to reactive frameworks where non-blocking I/O and cancellation signals are mismanaged. Attackers exploit this by sending requests and abruptly terminating them, depleting pool resources without triggering cleanup. The flaw affects environments with high concurrency and limited pool configuration. Patched versions ensure connection release is tied to cancellation events, preventing leaks.
Platform: Hibernate Reactive
Version: < 4.2.1
Vulnerability: Connection Pool Exhaustion
Severity: Moderate
Date: Jan 26 2026

Prediction: Patched Jan 27 2026

What Undercode Say:

curl –max-time 0.5 http://endpoint

netcat abort simulation

mvn dependency:tree grep

vulnerable endpoint code

@GET @Path public Uni

how Exploit:

Send HTTP requests

Abort connections prematurely

Repeat to exhaust pool

Protection from this CVE

Upgrade to 4.2.1

Monitor connection pools

Implement rate limiting

Impact:

Denial of Service

Resource exhaustion

Application downtime

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top