Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Update dependency io.vertx:vertx-web to v4.5.22 [SECURITY] (7.2.x) #10902

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update dependency io.vertx:vertx-web to v4.5.22 [SECURITY] (7.2.x) #10902

wants to merge 1 commit into from

Conversation

@renovatebot-confluentinc
Copy link
Contributor

@renovatebot-confluentinc renovatebot-confluentinc bot commented Oct 26, 2025
edited
Loading

For any questions/concerns about this PR, please review the Renovate Bot wiki/FAQs, or the #renovatebot Slack channel.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
io.vertx:vertx-web (source) 4.4.8 -> 4.5.22 age adoption passing confidence

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

CVE-2025-11966 / GHSA-45p5-v273-3qqr

More information

Details

Description
  • In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
  • As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
  • Affected Code:
    • File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
    • Lines:
      • 709–713: normalizedDir is constructed without escaping
      • 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
      • 744: parent directory name construction
      • 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping
Reproduction Steps

  1. Prerequisites:

    • Directory listing is enabled using StaticHandler
      (e.g., StaticHandler.create("public").setDirectoryListing(true))
    • The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)

  2. Create a malicious file name (example for Unix-based OS):

    • Create an empty file in public/ with one of the following names:
      • <img src=x onerror=alert('XSS')>.txt
      • Or attribute injection: evil" onmouseover="alert('XSS')".txt
    • Example: 
      mkdir -p public
printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"

  3. Start the server (example):

    • Routing: router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true));
    • Server: vertx.createHttpServer().requestHandler(router).listen(8890);

  4. Verification request (raw HTTP):

    GET /public/ HTTP/1.1
Host: 127.0.0.1:8890
Accept: text/html
Connection: close

  5. Example response excerpt:

    <ul id="files">
  <li>
    <a href="/public/<img src=x onerror=alert('XSS')>.txt"
       title="<img src=x onerror=alert('XSS')>.txt">
       <img src=x onerror=alert('XSS')>.txt
    </a>
  </li>
  ...
</ul>
  • When accessing /public/ in a browser, the unescaped file name is interpreted as HTML, and event handlers such as onerror are executed.
Potential Impact

  • Stored XSS

    • Arbitrary JavaScript executes in the browser context of users viewing the listing page
    • Possible consequences:
      • Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
      • Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
      • Watering hole attacks, including malware distribution or malicious script injection to other pages

  • Common Conditions That Make Exploitation Easier

    • Uploaded files are served directly under a publicly accessible directory
    • Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
    • ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments
Similar CVEs Previously Reported
  • CVE‑2024‑32966
  • CVE‑2019‑15603

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories

CVE-2025-11965 / GHSA-h5fg-jpgr-rv9c

More information

Details

Description

There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHidden(false) is configured.

In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:

  • Files under hidden directories: For example, /.secret/config.txt — although .secret is a hidden directory, the file config.txt itself does not start with a dot, so it gets served.
  • Real-world impact: Sensitive files placed in hidden directories like .git, .env, .aws may become publicly accessible.

As a result, the behavior does not meet the expectations set by the includeHidden=false configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.

Steps to Reproduce
1. Prepare test environment

##### Create directory structure
mkdir -p src/test/resources/webroot/.secret
mkdir -p src/test/resources/webroot/.git

##### Place test files
echo "This is a visible file" > src/test/resources/webroot/visible.txt
echo "This is a hidden file" > src/test/resources/webroot/.hidden.txt
echo "SECRET DATA: API_KEY=abc123" > src/test/resources/webroot/.secret/config.txt
echo "Git config data" > src/test/resources/webroot/.git/config
2. Implement test server

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.handler.StaticHandler;

public class StaticHandlerTestServer extends AbstractVerticle {
  @&#8203;Override
  public void start() {
    Router router = Router.router(vertx);

    // Configure to not serve hidden files
    StaticHandler staticHandler = StaticHandler.create("src/test/resources/webroot")
      .setIncludeHidden(false)
      .setDirectoryListing(false);

    router.route("/*").handler(staticHandler);

    vertx.createHttpServer()
      .requestHandler(router)
      .listen(8082);
  }

  public static void main(String[] args) {
    Vertx vertx = Vertx.vertx();
    vertx.deployVerticle(new StaticHandlerTestServer());
  }
}
3. Confirm the vulnerability

##### Normal file (accessible)
curl http://localhost:8082/visible.txt

##### Result: 200 OK

##### Hidden file (correctly blocked)
curl http://localhost:8082/.git

##### Result: 404 Not Found

##### File under hidden directory (vulnerable)
curl http://localhost:8082/.git/config

##### Result: 200 OK - Returns contents of Git config
Potential Impact
1. Information Disclosure

Examples of sensitive files that could be exposed:

  • .git/config: Git repository settings (e.g., remote URL, credentials)
  • .env/*: Environment variables (API keys, DB credentials)
  • .aws/credentials: AWS access keys
  • .ssh/known_hosts: SSH host trust info
  • .docker/config.json: Docker registry credentials
2. Attack Scenarios
  • Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.
  • Especially dangerous for .git/HEAD, .git/config, .git/objects/* — which may allow full reconstruction of source code.
3. Affected Scope
  • Affected version: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)
  • Environments: All OSes (Windows, Linux, macOS)
  • Configurations: All applications using StaticHandler.setIncludeHidden(false)

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@service-bot-app service-bot-app bot marked this pull request as ready for review October 26, 2025 03:26
@service-bot-app service-bot-app bot requested a review from a team as a code owner October 26, 2025 03:26
@service-bot-app
Copy link
Contributor

service-bot-app bot commented Oct 26, 2025

Could not automerge PR: CI checks have not passed

@vi-tayal vi-tayal changed the base branch from 7.2.x to 7.3.x November 3, 2025 14:22
@vi-tayal vi-tayal closed this Nov 3, 2025
@renovatebot-confluentinc renovatebot-confluentinc bot deleted the renovate/7.2.x-maven-io.vertx-vertx-web-vulnerability branch November 4, 2025 05:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovatebot-cve

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vi-tayal