CVE-2025-11965

The vulnerability lies in Eclipse Vert.x's StaticHandler, which provides a setIncludeHidden(false) configuration to prevent serving hidden files. However, this check only examines whether the final path segment (the file name) begins with a dot; it does not evaluate intermediate directory components. Consequently, a file such as /.secret/config.txt is served because config.txt does not start with a dot, even though it resides under a hidden directory. [1] [2]

An attacker can exploit this by requesting files stored within hidden directories. For instance, accessing a file like /.git/config would return the contents of the Git configuration, as the path's final segment (config) is not considered hidden by the flawed logic. No prior authentication is required for exploitation, as StaticHandler is typically exposed to unauthenticated users. [2]

The impact is the unintended disclosure of sensitive information. Hidden directories such as .git, .env, .aws, or .secret may contain credentials, API keys, configuration files, or other secrets that become accessible to any user who can reach the web server. [1] [2]

The vulnerability affects Vert.x versions 4.0.0 through 4.5.21 and 5.0.0 through 5.0.4. Patches are available in the Vert.x web repository; users should upgrade to versions 4.5.22 or 5.0.5 (or later). Administrators should also review their StaticHandler configurations and consider additional access controls if they cannot immediately upgrade. [1] [2]