Update io.vertx:4.3.5 [SECURITY] by dwertent · Pull Request #64 · kaleido-io/besu

dwertent · 2026-06-15T20:13:23Z

This PR contains the following updates:

Package	Type	Update	Change
io.vertx:vertx-web (source)	dependencies	minor	`4.3.5` → `4.5.22`
io.vertx:vertx-core (source)	dependencies	minor	`4.3.5` → `4.4.0`

StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

CVE-2023-24815 / GHSA-53jx-vvf9-4x38

More information

Details

Summary

When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource.

Details

When computing the relative path to locate the resource, in case of wildcards, the code:

https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83

returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \ are not properly handled and an attacker can build a path that is valid within the classpath.

PoC

https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability

Severity

CVSS Score: 4.8 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

CVE-2025-11966 / GHSA-45p5-v273-3qqr

More information

Details

Description

In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
Affected Code:
- File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
- Lines:
  - 709–713: normalizedDir is constructed without escaping
  - 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
  - 744: parent directory name construction
  - 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

Reproduction Steps

Prerequisites:
- Directory listing is enabled using StaticHandler
  (e.g., StaticHandler.create("public").setDirectoryListing(true))
- The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)
Create a malicious file name (example for Unix-based OS):
- Create an empty file in public/ with one of the following names:
  - <img src=x onerror=alert('XSS')>.txt
  - Or attribute injection: evil" onmouseover="alert('XSS')".txt
- Example:
```
mkdir -p public
printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"
```
Start the server (example):
- Routing: router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true));
- Server: vertx.createHttpServer().requestHandler(router).listen(8890);

Verification request (raw HTTP):

GET /public/ HTTP/1.1
Host: 127.0.0.1:8890
Accept: text/html
Connection: close

Example response excerpt:

<ul id="files">
  <li>
    <a href="/public/<img src=x onerror=alert('XSS')>.txt"
       title="<img src=x onerror=alert('XSS')>.txt">
       <img src=x onerror=alert('XSS')>.txt
    </a>
  </li>
  ...
</ul>

When accessing /public/ in a browser, the unescaped file name is interpreted as HTML, and event handlers such as onerror are executed.

Potential Impact

Stored XSS
- Arbitrary JavaScript executes in the browser context of users viewing the listing page
- Possible consequences:
  - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
  - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
  - Watering hole attacks, including malware distribution or malicious script injection to other pages
Common Conditions That Make Exploitation Easier
- Uploaded files are served directly under a publicly accessible directory
- Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
- ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments

Similar CVEs Previously Reported

CVE‑2024‑32966
CVE‑2019‑15603

Severity

CVSS Score: 2.3 / 10 (Low)
Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories

CVE-2025-11965 / GHSA-h5fg-jpgr-rv9c

More information

Details

Description

There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHidden(false) is configured.

In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:

Files under hidden directories: For example, /.secret/config.txt — although .secret is a hidden directory, the file config.txt itself does not start with a dot, so it gets served.
Real-world impact: Sensitive files placed in hidden directories like .git, .env, .aws may become publicly accessible.

As a result, the behavior does not meet the expectations set by the includeHidden=false configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.

Steps to Reproduce

1. Prepare test environment

##### Create directory structure
mkdir -p src/test/resources/webroot/.secret
mkdir -p src/test/resources/webroot/.git

##### Place test files
echo "This is a visible file" > src/test/resources/webroot/visible.txt
echo "This is a hidden file" > src/test/resources/webroot/.hidden.txt
echo "SECRET DATA: API_KEY=abc123" > src/test/resources/webroot/.secret/config.txt
echo "Git config data" > src/test/resources/webroot/.git/config

2. Implement test server

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.handler.StaticHandler;

public class StaticHandlerTestServer extends AbstractVerticle {
  @&#8203;Override
  public void start() {
    Router router = Router.router(vertx);

    // Configure to not serve hidden files
    StaticHandler staticHandler = StaticHandler.create("src/test/resources/webroot")
      .setIncludeHidden(false)
      .setDirectoryListing(false);

    router.route("/*").handler(staticHandler);

    vertx.createHttpServer()
      .requestHandler(router)
      .listen(8082);
  }

  public static void main(String[] args) {
    Vertx vertx = Vertx.vertx();
    vertx.deployVerticle(new StaticHandlerTestServer());
  }
}

3. Confirm the vulnerability

##### Normal file (accessible)
curl http://localhost:8082/visible.txt

##### Result: 200 OK

##### Hidden file (correctly blocked)
curl http://localhost:8082/.git

##### Result: 404 Not Found

##### File under hidden directory (vulnerable)
curl http://localhost:8082/.git/config

##### Result: 200 OK - Returns contents of Git config

Potential Impact

1. Information Disclosure

Examples of sensitive files that could be exposed:

.git/config: Git repository settings (e.g., remote URL, credentials)
.env/*: Environment variables (API keys, DB credentials)
.aws/credentials: AWS access keys
.ssh/known_hosts: SSH host trust info
.docker/config.json: Docker registry credentials

2. Attack Scenarios

Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.
Especially dangerous for .git/HEAD, .git/config, .git/objects/* — which may allow full reconstruction of source code.

3. Affected Scope

Affected version: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)
Environments: All OSes (Windows, Linux, macOS)
Configurations: All applications using StaticHandler.setIncludeHidden(false)

Severity

CVSS Score: 6.3 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Eclipse Vert.x vulnerable to a memory leak in TCP servers

CVE-2024-1300 / GHSA-9ph3-v2vh-3qx7

More information

Details

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Severity

CVSS Score: 5.4 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vert.x Web static handler component cache can be manipulated to deny the access to static files

CVE-2026-1002 / GHSA-cphf-4846-3xx9

More information

Details

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.

The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895

Steps to reproduce
Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html

Mitgation
Disabling Static Handler cache fixes the issue.

StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Severity

CVSS Score: 6.9 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vert.x has a DoS via unbounded server-side SNI SslContext cache growth

CVE-2026-6860 / GHSA-3g76-f9xq-8vp6

More information

Details

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache.

The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.11:

4.3.x: SSLHelper
4.4.x / 4.5.x: SslChannelProvider
5.0.x and current master: SslContextProvider

When server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.

Steps to reproduce

Configure a Vert.x server with setSsl(true) and setSni(true).
Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.
Send repeated connections with distinct matching SNI values.
Observe that the SNI cache size grows with the number of unique matching names.

What are the affected versions?

Affected released versions confirmed on origin:

4.3.4 through 4.3.8
4.4.0 through 4.4.9
4.5.0 through 4.5.26
5.0.0 through 5.0.11

Not affected by the same sink:

4.0.x through 4.2.x
4.3.0 through 4.3.3

Severity

CVSS Score: 6.9 / 10 (Medium)
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

vert-x3/vertx-web (io.vertx:vertx-web)

                   dependency 'io.reactivex.rxjava2:rxjava:2.2.21'
-                  dependencySet(group: 'io.vertx', version: '4.3.5') {
+                  dependencySet(group: 'io.vertx', version: '4.4.0') {

Conversation

dwertent commented Jun 15, 2026

StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

Details

Summary

Details

PoC

Severity

References

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Details

Description

Reproduction Steps

Potential Impact

Similar CVEs Previously Reported

Severity

References

Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories

Details

Description

Steps to Reproduce

Potential Impact

1. Information Disclosure

2. Attack Scenarios

3. Affected Scope

Severity

References

Eclipse Vert.x vulnerable to a memory leak in TCP servers

Details

Severity

References

Vert.x Web static handler component cache can be manipulated to deny the access to static files

Details

Severity

References

Vert.x has a DoS via unbounded server-side SNI SslContext cache growth

Details

Steps to reproduce

What are the affected versions?

Severity

References

Release Notes

Configuration

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

dwertent commented Jun 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants