VYPR

Maven package

io.vertx/vertx-web

pkg:maven/io.vertx/vertx-web

Vulnerabilities (7)

  • CVE-2025-11965Oct 22, 2025
    affected < 4.5.22fixed 4.5.22

    In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').

  • CVE-2025-11966Oct 22, 2025
    affected < 4.5.22fixed 4.5.22

    In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories

  • CVE-2023-24815Feb 9, 2023
    affected >= 4.0.0, < 4.3.8fixed 4.3.8

    Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an

  • CVE-2020-35217Jan 20, 2021
    affected >= 4.0.0-milestone1, < 4.0.0-milestone5fixed 4.0.0-milestone5

    Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker doe

  • CVE-2019-17640Oct 15, 2020
    affected >= 3.0.0, < 3.9.4fixed 3.9.4

    In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webr

  • CVE-2018-12542Oct 10, 2018
    affected >= 3.0.0, < 3.5.4fixed 3.5.4

    In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that

  • CVE-2018-12540HigJul 12, 2018
    affected >= 3.0.0, < 3.5.3fixed 3.5.3

    In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.