It is highly recommended for all users of the Quarkus Java framework to update to versions 2.14.2.Final and 2.13.5.Final (LTS) to fix the exploit as soon as possible. This fix forces the Dev UI to check the origin header of the request and only accept requests where the value is localhost. Since this header is set by the browser and is not modifiable by JavaScript run within the browser, exploitation of this vulnerability cannot be performed by malicious JavaScript code hosted on a website. If the patch cannot be implemented immediately, a workaround to prevent this from being exploited in the meantime would be to move all non-application endpoints to a random root path. Since the exploit relies on using default paths for the location to the Quarkus Dev UI component, modifying the base root path of the component to a non-default location can prevent the exploit from working. It is also recommended for developers to limit web browsing activity from development boxes. Running insecure, localhost-bound development applications is not limited to Quarkus; there are a number of other frameworks that operate in a similar manner and may likewise be vulnerable to drive-by localhost attacks. Due to this, limiting non-essential web browsing and outbound network connections from these developer boxes can help prevent a system from accidentally being exploited due to malicious JavaScript hosted on an external website.
https://thehackernews.com/2022/12/researchers-disclose-critical-rce.html
https://www.contrastsecurity.com/security-influencers/localhost-attack-against-quarkus-developers-contrast-security
