GHSA-45p5-v273-3qqr

Source

https://github.com/advisories/GHSA-45p5-v273-3qqr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-45p5-v273-3qqr/GHSA-45p5-v273-3qqr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-45p5-v273-3qqr

Aliases

CVE-2025-11966

Downstream

MINI-xgq9-3wgg-p433

Related

CGA-x8hh-m38w-8m8j

Published

2025-10-22T19:38:11Z

Modified

2025-10-22T19:57:46.918512Z

Severity

2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Details

Description

In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
Affected Code:
- File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
- Lines:
  - 709–713: normalizedDir is constructed without escaping
  - 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
  - 744: parent directory name construction
  - 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

Reproduction Steps

Prerequisites:
- Directory listing is enabled using StaticHandler
  (e.g., StaticHandler.create("public").setDirectoryListing(true))
- The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)
Create a malicious file name (example for Unix-based OS):
- Create an empty file in public/ with one of the following names:
  - <img src=x onerror=alert('XSS')>.txt
  - Or attribute injection: evil" onmouseover="alert('XSS')".txt
- Example:
```
mkdir -p public
printf 'test' > "public/&lt;img src=x onerror=alert('XSS')>.txt"
```
Start the server (example):
- Routing: router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true));
- Server: vertx.createHttpServer().requestHandler(router).listen(8890);

Verification request (raw HTTP):

GET /public/ HTTP/1.1
Host: 127.0.0.1:8890
Accept: text/html
Connection: close

Example response excerpt:

<ul id="files">
  <li>
    <a href="/public/<img src=x onerror=alert('XSS')>.txt"
           title="<img src=x onerror=alert('XSS')>.txt">
       &lt;img src=x onerror=alert('XSS')>.txt
    </a>
  </li>
  ...
</ul>

When accessing /public/ in a browser, the unescaped file name is interpreted as HTML, and event handlers such as onerror are executed.

Potential Impact

Stored XSS
- Arbitrary JavaScript executes in the browser context of users viewing the listing page
- Possible consequences:
  - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
  - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
  - Watering hole attacks, including malware distribution or malicious script injection to other pages
Common Conditions That Make Exploitation Easier
- Uploaded files are served directly under a publicly accessible directory
- Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
- ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments

Similar CVEs Previously Reported

CVE‑2024‑32966
CVE‑2019‑15603

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-10-22T19:38:11Z",
    "nvd_published_at": "2025-10-22T15:15:31Z",
    "severity": "LOW"
}

References

Affected packages

Maven / io.vertx:vertx-web

Package

Name: io.vertx:vertx-web; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.22

Affected versions

3.*

3.0.0-milestone6

3.0.0

3.1.0

3.2.0

3.2.1

3.3.0.CR1

3.3.0.CR2

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0.Beta1

3.4.0

3.4.1

3.4.2

3.5.0.Beta1

3.5.0

3.5.1

3.5.2.CR1

3.5.2.CR2

3.5.2.CR3

3.5.2

3.5.3.CR1

3.5.3

3.5.4

3.6.0.CR1

3.6.0.CR2

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2

3.8.3

3.8.3-01

3.8.4

3.8.5

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

4.*

4.0.0-milestone1

4.0.0-milestone2

4.0.0-milestone3

4.0.0-milestone4

4.0.0-milestone5

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0.Beta1

4.1.0.CR1

4.1.0.CR2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0.Beta1

4.2.0.CR1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.17

4.5.18

4.5.19

4.5.20

4.5.21

Maven / io.vertx:vertx-web

Package

Name: io.vertx:vertx-web; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.5

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

Database specific

last_known_affected_version_range

"<= 5.0.4"