Disclosure of classpath resources on Windows when mounted on a wildcard route in vertx-web
Description
Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: return "/" + rest; from Utils.java returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \ are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.vertx:vertx-webMaven | >= 4.0.0, < 4.3.8 | 4.3.8 |
Affected products
1Patches
19e3a783b1d1aFix the webroot escape to classpath on windows
2 files changed · +61 −1
vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java+4 −1 modified@@ -20,6 +20,7 @@ import io.vertx.core.http.HttpHeaders; import io.vertx.core.http.HttpServerRequest; import io.vertx.core.http.HttpServerResponse; +import io.vertx.core.http.impl.HttpUtils; import io.vertx.ext.web.Route; import io.vertx.ext.web.RoutingContext; @@ -73,10 +74,12 @@ public static String pathOffset(String path, RoutingContext context) { } if (!route.isExactPath()) { - final String rest = context.pathParam("*"); + String rest = context.pathParam("*"); if (rest != null) { // normalize if (rest.length() > 0) { + // remove any attempt to escape the web root and use UNIX style path separators + rest = HttpUtils.removeDots(rest.replace('\\', '/')); if (rest.charAt(0) == '/') { return rest; } else {
vertx-web/src/test/java/io/vertx/ext/web/handler/StaticHandlerWindowsTest.java+57 −0 added@@ -0,0 +1,57 @@ +/* + * Copyright 2014 Red Hat, Inc. + * + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * and Apache License v2.0 which accompanies this distribution. + * + * The Eclipse Public License is available at + * http://www.eclipse.org/legal/epl-v10.html + * + * The Apache License v2.0 is available at + * http://www.opensource.org/licenses/apache2.0.php + * + * You may elect to redistribute this code under either of these licenses. + */ + +package io.vertx.ext.web.handler; + +import io.vertx.core.http.HttpMethod; +import io.vertx.ext.web.WebTestBase; +import org.junit.Test; + +public class StaticHandlerWindowsTest extends WebTestBase { + + @Test + public void testEscapeToClasspathFromWildcard() throws Exception { + router.clear(); + router.route("/*").handler(StaticHandler.create("www")); + // attempt to escape to classpath, given that the handler is mounted on a wildcard, + // reading the wildcard must return a sanitized path and therefore not allow to escape. + testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found"); + } + + @Test + public void testEscapeToClasspathFromNull() throws Exception { + router.clear(); + router.route().handler(StaticHandler.create("www")); + // attempt to escape to classpath, given that the handler is mounted on a catch all path + testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found"); + } + + @Test + public void testEscapeToClasspathFromRegEx() throws Exception { + router.clear(); + router.routeWithRegex(".*").handler(StaticHandler.create("www")); + // attempt to escape to classpath, given that the handler is mounted on a regex, + testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found"); + } + + @Test + public void testEscapeToClasspathFromFixedPath() throws Exception { + router.clear(); + router.routeWithRegex("/").handler(StaticHandler.create("www")); + // attempt to escape to classpath, given that the handler is mounted on a regex, + testRequest(HttpMethod.GET, "/..\\.htdigest", 404, "Not Found"); + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-53jx-vvf9-4x38ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24815ghsaADVISORY
- github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.javaghsax_refsource_MISCWEB
- github.com/vert-x3/vertx-web/commit/9e3a783b1d1a731055e9049078b1b1494ece9c15ghsax_refsource_MISCWEB
- github.com/vert-x3/vertx-web/security/advisories/GHSA-53jx-vvf9-4x38ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.