CVE-2025-11965 - Files or Directories Accessible to External Parties vulnerability in io.vertx:vertx-web #43787
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
dist/quarkus
Describe the bug
- Package Manager: maven
- Vulnerable module: io.vertx:vertx-web
- Introduced through: org.keycloak:[email protected], io.quarkiverse.operatorsdk:[email protected] and others
Detailed paths
- Introduced through: org.keycloak:[email protected] › io.quarkiverse.operatorsdk:[email protected] › io.quarkus:[email protected] › io.quarkus:[email protected] › io.vertx:[email protected]
Overview
io.vertx:vertx-web is a HTTP web applications for Vert.x.
Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via improper handling of hidden directories in the StaticHandler implementation when the setIncludeHidden(false) configuration is set. An attacker can access sensitive files within hidden directories by directly requesting their paths, potentially exposing confidential information like credentials, configuration files, or source code.
Remediation
Upgrade io.vertx:vertx-web to version 4.5.22, 5.0.5 or higher.
References
Version
26.4.2
Regression
- The issue is a regression
Expected behavior
No CVE reported.
Actual behavior
CVE reported.
How to Reproduce?
Please check the scanner alerts.
Anything else?
No response