Vert.x STOMP server process client frames that would not send initially a connect frame
Description
Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a successful CONNECTED frame. The client can subscribe to a destination or publish message without prior authentication. Any Vert.x STOMP server configured with an authentication handler is impacted. The issue is patched in Vert.x 3.9.16 and 4.4.2. There are no trivial workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.vertx:vertx-stompMaven | >= 3.1.0, < 3.9.16 | 3.9.16 |
io.vertx:vertx-stompMaven | >= 4.0.0, < 4.4.2 | 4.4.2 |
Affected products
2- Range: >= 3.1.0, < 3.9.16
Patches
Vulnerability mechanics
Root cause
"The STOMP server failed to verify that a client had successfully completed the initial CONNECT handshake before processing subsequent frames."
Attack vector
An attacker can bypass authentication on a Vert.x STOMP server by sending STOMP frames (such as `SEND` or `SUBSCRIBE`) directly to the server without first initiating a `CONNECT` frame. This allows unauthorized access to server functionality even when an authentication handler is configured. [patch_id=24267]
Affected code
The vulnerability exists in `StompServerImpl.java` within the TCP and WebSocket connection handlers. These handlers failed to enforce a state machine that requires a successful `CONNECT` handshake before processing other STOMP frames. [patch_id=24267]
What the fix does
The patch introduces `AtomicBoolean` flags (`connected` and `firstFrame`) in `StompServerImpl.java` to track the connection state of each client. The server now validates that the first frame received is a `CONNECT` or `STOMP` frame and ensures subsequent frames are only processed if the client has successfully authenticated. If a client attempts to send frames before connecting, the server sends an error frame and closes the connection. [patch_id=24267]
Preconditions
- configThe Vert.x STOMP server must be configured with an authentication handler.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-gvrq-cg5r-7chpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32081ghsaADVISORY
- github.com/vert-x3/vertx-stomp/commit/0de4bc5a44ddb57e74d92c445f16456fa03f265bghsax_refsource_MISCWEB
- github.com/vert-x3/vertx-stomp/security/advisories/GHSA-gvrq-cg5r-7chpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.