Eclipse Vert.x 安全漏洞

Eclipse Vert.x is a toolkit developed by the Eclipse Foundation for building responsive applications on the JVM. There is a security vulnerability in Eclipse Vert.x, which stems from the fact that the TCP client can perform TLS handshakes and present server name extensions. These server name...

PT-2026-28107

Name of the Vulnerable Software and Affected Versions Netty versions prior to 4.1.132.Final and 4.2.10.Final Description Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Specifically, Netty terminates chunk header...

Security Bulletin: IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting (XSS) (CVE-2025-11965, CVE-2025-11966)

Summary IBM Event Processing is vulnerable to unauthorized access to hidden files and stored cross-site scripting XSS when using Eclipse Vert.x. Vulnerability Details CVEID:CVE-2025-11965 DESCRIPTION: In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for...

CVE-2026-1002 Eclipse Vert.x Web static handler file access denial

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component used b...

io.vertx/vertx-web: Eclipse Vert.x cross site scripting

In Eclipse Vert.x, when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing maliciou...

Linux Distros Unpatched Vulnerability : CVE-2025-11965

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidd...

CVE-2025-11965

In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them e.g. '.git/config'...

CVE-2025-11965

In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them e.g. '.git/config'...

CVE-2025-11965

The CVE-2025-11965 issue affects Eclipse Vert.x: versions 4.0.0–4.5.21 and 5.0.0–5.0.4 contain a misconfiguration in StaticHandler that fails to restrict access to hidden directories, enabling unauthorized access to files inside them (for example, .git/config). The available connected documents c...

CVE-2025-11966

CVE-2025-11966 affects Eclipse Vert.x with directory listing enabled: when using Vert.x 4.0.0–4.5.21 and 5.0.0–5.0.4, file/directory names are inserted into generated HTML without escaping in href, title, and link attributes, enabling stored XSS. Red Hat advisory RHSA-2026:0134 notes this CVE is ...

CVE-2025-11966

In Eclipse Vert.x versions 4.0.0, 4.5.21 and 5.0.0, 5.0.4, when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path...

Security Bulletin: Multiple vulnerabilities found in IBM Security Verify Information Queue

Summary Multiple security vulnerabilities in the third-party libraries have been addressed in IBM Security Verify Information Queue ISIQ Vulnerability Details CVEID:CVE-2023-40167 DESCRIPTION: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and...

PT-2024-38985 · Eclipse · Eclipse Vert.X

Name of the Vulnerable Software and Affected Versions: Eclipse Vert.x versions 4.3.0 through 4.5.9 Description: The gRPC server in Eclipse Vert.x does not limit the maximum length of message payload, which can lead to potential issues. This issue does not affect the Vert.x gRPC server based on...

GHSA-9PH3-V2VH-3QX7 Eclipse Vert.x vulnerable to a memory leak in TCP servers

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading...

Eclipse Vert.x 安全漏洞

Eclipse Vert.x is an Eclipse Foundation toolkit for building responsive applications on the JVM. A security vulnerability exists in Eclipse Vert.x versions prior to 4.4.8, which stems from the presence of a memory leak that allows an attacker to trigger an out-of-memory error in the JVM by sendin...

PT-2024-7970 · Eclipse · Eclipse Vert.X

Name of the Vulnerable Software and Affected Versions: Eclipse Vert.x affected versions not specified Description: A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name, the default...

Eclipse Vertx-web 路径遍历漏洞

Eclipse Vertx-web is an Eclipse Foundation framework for building web applications. A path traversal vulnerability exists in Eclipse Vertx-web versions prior to 4.3.8, which stems from the fact that an attacker can disclose any class path resource if the mount point is a wildcard...

GHSA-VJW7-6GFQ-6WF5 Path Traversal in Eclipse Vert

In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0-milestone1, 4.0.0-milestone2, 4.0.0-milestone3, 4.0.0-milestone4, 4.0.0-milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the...

Eclipse Vertx-web Cross-Site Request Forgery Vulnerability

Eclipse Vertx-web is an Eclipse Foundation framework for building Web applications . A cross-site request forgery vulnerability exists in the Vert.x-Web framework v4.0 milestone 1-4, where the source program fails to perform proper CSRF validation. Instead of comparing the CSRF token in the reque...

GHSA-45XM-V8GQ-7JQX Excessive memory allocation

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit 8192 bytes above which the WebSocket gets an HTTP response with the...