VYPR

Maven package

io.vertx/vertx-core

pkg:maven/io.vertx/vertx-core

Vulnerabilities (7)

  • CVE-2026-6860MedMay 6, 2026
    affected >= 4.3.4, <= 4.3.8

    A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

  • CVE-2026-1002Jan 15, 2026
    affected < 4.5.24fixed 4.5.24

    The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co

  • CVE-2024-1300MedApr 2, 2024
    affected >= 4.3.4, < 4.4.8fixed 4.4.8

    A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server

  • CVE-2024-1023MedMar 27, 2024
    affected >= 4.5.0, < 4.5.2fixed 4.5.2

    A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate r

  • CVE-2018-12544Oct 10, 2018
    affected >= 3.5.0, < 3.5.4fixed 3.5.4

    In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provi

  • CVE-2018-12541Oct 10, 2018
    affected >= 3.0.0, < 3.5.4fixed 3.5.4

    In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP

  • CVE-2018-12537MedAug 14, 2018
    affected >= 3.0.0, < 3.5.2fixed 3.5.2

    In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.