GHSA-h5fg-jpgr-rv9c

In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:

Files under hidden directories: For example, /.secret/config.txt — although .secret is a hidden directory, the file config.txt itself does not start with a dot, so it gets served.
Real-world impact: Sensitive files placed in hidden directories like .git, .env, .aws may become publicly accessible.

As a result, the behavior does not meet the expectations set by the includeHidden=false configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.

Steps to Reproduce

1. Prepare test environment

# Create directory structure
mkdir -p src/test/resources/webroot/.secret
mkdir -p src/test/resources/webroot/.git

# Place test files
echo "This is a visible file" > src/test/resources/webroot/visible.txt
echo "This is a hidden file" > src/test/resources/webroot/.hidden.txt
echo "SECRET DATA: API_KEY=abc123" > src/test/resources/webroot/.secret/config.txt
echo "Git config data" > src/test/resources/webroot/.git/config

2. Implement test server

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.handler.StaticHandler;

public class StaticHandlerTestServer extends AbstractVerticle {
  @Override
  public void start() {
    Router router = Router.router(vertx);

    // Configure to not serve hidden files
    StaticHandler staticHandler = StaticHandler.create("src/test/resources/webroot")
      .setIncludeHidden(false)
      .setDirectoryListing(false);

    router.route("/*").handler(staticHandler);

    vertx.createHttpServer()
      .requestHandler(router)
      .listen(8082);
  }

  public static void main(String[] args) {
    Vertx vertx = Vertx.vertx();
    vertx.deployVerticle(new StaticHandlerTestServer());
  }
}

3. Confirm the vulnerability

# Normal file (accessible)
curl http://localhost:8082/visible.txt
# Result: 200 OK

# Hidden file (correctly blocked)
curl http://localhost:8082/.git
# Result: 404 Not Found

# File under hidden directory (vulnerable)
curl http://localhost:8082/.git/config
# Result: 200 OK - Returns contents of Git config

Potential Impact

1. Information Disclosure

Examples of sensitive files that could be exposed:

.git/config: Git repository settings (e.g., remote URL, credentials)
.env/*: Environment variables (API keys, DB credentials)
.aws/credentials: AWS access keys
.ssh/known_hosts: SSH host trust info
.docker/config.json: Docker registry credentials

2. Attack Scenarios

Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.
Especially dangerous for .git/HEAD, .git/config, .git/objects/* — which may allow full reconstruction of source code.

3. Affected Scope

Affected version: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)
Environments: All OSes (Windows, Linux, macOS)
Configurations: All applications using StaticHandler.setIncludeHidden(false)

Database specific

{
    "nvd_published_at": "2025-10-22T15:15:31Z",
    "github_reviewed_at": "2025-10-22T19:38:04Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-552"
    ],
    "github_reviewed": true
}

References

Affected packages

Maven / io.vertx:vertx-web

Package

Name: io.vertx:vertx-web; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.22

Affected versions

3.*

3.0.0-milestone6

3.0.0

3.1.0

3.2.0

3.2.1

3.3.0.CR1

3.3.0.CR2

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0.Beta1

3.4.0

3.4.1

3.4.2

3.5.0.Beta1

3.5.0

3.5.1

3.5.2.CR1

3.5.2.CR2

3.5.2.CR3

3.5.2

3.5.3.CR1

3.5.3

3.5.4

3.6.0.CR1

3.6.0.CR2

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2

3.8.3

3.8.3-01

3.8.4

3.8.5

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

4.*

4.0.0-milestone1

4.0.0-milestone2

4.0.0-milestone3

4.0.0-milestone4

4.0.0-milestone5

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0.Beta1

4.1.0.CR1

4.1.0.CR2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0.Beta1

4.2.0.CR1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.17

4.5.18

4.5.19

4.5.20

4.5.21

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-h5fg-jpgr-rv9c/GHSA-h5fg-jpgr-rv9c.json"

Maven / io.vertx:vertx-web

Package

Name: io.vertx:vertx-web; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.5

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

Database specific

last_known_affected_version_range

"<= 5.0.4"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-h5fg-jpgr-rv9c/GHSA-h5fg-jpgr-rv9c.json"