Maven package
io.vertx/vertx-core
pkg:maven/io.vertx/vertx-core
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6860 | Med | 5.3 | >= 4.3.4, <= 4.3.8 | — | May 6, 2026 | A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used. | |
| CVE-2026-1002 | — | < 4.5.24 | 4.5.24 | Jan 15, 2026 | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co | ||
| CVE-2024-1300 | Med | 5.4 | >= 4.3.4, < 4.4.8 | 4.4.8 | Apr 2, 2024 | A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server | |
| CVE-2024-1023 | Med | 6.5 | >= 4.5.0, < 4.5.2 | 4.5.2 | Mar 27, 2024 | A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate r | |
| CVE-2018-12544 | — | >= 3.5.0, < 3.5.4 | 3.5.4 | Oct 10, 2018 | In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provi | ||
| CVE-2018-12541 | — | >= 3.0.0, < 3.5.4 | 3.5.4 | Oct 10, 2018 | In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP | ||
| CVE-2018-12537 | Med | 5.3 | >= 3.0.0, < 3.5.2 | 3.5.2 | Aug 14, 2018 | In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response. |
- affected >= 4.3.4, <= 4.3.8
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
- CVE-2026-1002Jan 15, 2026affected < 4.5.24fixed 4.5.24
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co
- affected >= 4.3.4, < 4.4.8fixed 4.4.8
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server
- affected >= 4.5.0, < 4.5.2fixed 4.5.2
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate r
- CVE-2018-12544Oct 10, 2018affected >= 3.5.0, < 3.5.4fixed 3.5.4
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provi
- CVE-2018-12541Oct 10, 2018affected >= 3.0.0, < 3.5.4fixed 3.5.4
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP
- affected >= 3.0.0, < 3.5.2fixed 3.5.2
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.