GHSA-3g76-f9xq-8vp6

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator

Summary

Vert.x has a DoS via unbounded server-side SNI SslContext cache growth

Details

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache.

The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.11: - 4.3.x: SSLHelper - 4.4.x / 4.5.x: SslChannelProvider - 5.0.x and current master: SslContextProvider

When server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.

Steps to reproduce

Configure a Vert.x server with setSsl(true) and setSni(true).
Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.
Send repeated connections with distinct matching SNI values.
Observe that the SNI cache size grows with the number of unique matching names.

What are the affected versions?

Affected released versions confirmed on origin: - 4.3.4 through 4.3.8 - 4.4.0 through 4.4.9 - 4.5.0 through 4.5.26 - 5.0.0 through 5.0.11

Not affected by the same sink: - 4.0.x through 4.2.x - 4.3.0 through 4.3.3

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-09T00:38:30Z",
    "nvd_published_at": "2026-05-06T10:16:26Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-295",
        "CWE-770"
    ]
}

References

Affected packages

Maven / io.vertx:vertx-core

Package

Name: io.vertx:vertx-core; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.4

Last affected

4.3.8

Affected versions

4.*

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

Maven / io.vertx:vertx-core

Package

Name: io.vertx:vertx-core; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Last affected

4.4.9

Affected versions

4.*

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

Maven / io.vertx:vertx-core

Package

Name: io.vertx:vertx-core; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.0

Fixed

4.5.27

Affected versions

4.*

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.17

4.5.18

4.5.19

4.5.20

4.5.21

4.5.22

4.5.23

4.5.24

4.5.25

4.5.26

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

last_known_affected_version_range

"<= 4.5.26"

Maven / io.vertx:vertx-core

Package

Name: io.vertx:vertx-core; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.12

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9

5.0.10

5.0.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

last_known_affected_version_range

"<= 5.0.11"