Low severityNVD Advisory· Published Oct 22, 2025· Updated Oct 22, 2025

CVE-2025-11966

Description

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Eclipse Vert.x directory listing has stored XSS via unescaped file names, allowing script execution in users' browsers.

Vulnerability

Description

In Eclipse Vert.x versions 4.0.0 through 4.5.21 and 5.0.0 through 5.0.4, when directory listing is enabled via StaticHandler, file and directory names are inserted directly into the generated HTML without proper escaping. The StaticHandlerImpl#sendDirectoryListing method constructs ` elements using file names in href, title`, and link text without sanitization, leading to stored cross-site scripting (XSS) [1][2].

Exploitation

An attacker who can create or rename files or directories within a served path can craft filenames containing malicious HTML or JavaScript. For example, a file named .txt will cause the script to execute when any user browses the directory listing page. No authentication is required beyond the ability to control file names, and the attack does not require any user interaction beyond accessing the listing [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, or defacement. The XSS is stored in the directory listing and affects all users visiting the compromised path.

Mitigation

Patched versions are 4.5.22 and 5.0.5. Users should upgrade immediately. If upgrade is not possible, disable directory listing or restrict file name creation to trusted users [2].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.vertx:vertx-webMaven	< 4.5.22	4.5.22
io.vertx:vertx-webMaven	>= 5.0.0, < 5.0.5	5.0.5

Affected products

Eclipse/Vert.xllm-fuzzy
Range: >=4.0.0 <=4.5.21, >=5.0.0 <=5.0.4
Eclipse Foundation/Vert.xv5
Range: 4.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-45p5-v273-3qqrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-11966ghsaADVISORY
github.com/vert-x3/vertx-web/security/advisories/GHSA-45p5-v273-3qqrghsaWEB
gitlab.eclipse.org/security/vulnerability-reports/-/issues/303ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000