Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-11966 (GCVE-0-2025-11966)
Vulnerability from cvelistv5 – Published: 2025-10-22 14:44 – Updated: 2025-10-22 15:26
VLAI?
EPSS
Summary
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Vert.x |
Affected:
4.0.0 , < 4.5.22
(maven)
Affected: 5.0.0 , < 5.0.5 (maven) |
Credits
Sho Odagiri
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11966",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T15:24:31.799457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T15:26:41.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vert.x",
"vendor": "Eclipse Foundation",
"versions": [
{
"lessThan": "4.5.22",
"status": "affected",
"version": "4.0.0",
"versionType": "maven"
},
{
"lessThan": "5.0.5",
"status": "affected",
"version": "5.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sho Odagiri"
}
],
"datePublic": "2025-10-22T10:55:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing."
}
],
"value": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T14:44:24.145Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2025-11966",
"datePublished": "2025-10-22T14:44:24.145Z",
"dateReserved": "2025-10-20T14:50:01.166Z",
"dateUpdated": "2025-10-22T15:26:41.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-11966\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2025-10-22T15:15:31.730\",\"lastModified\":\"2025-10-22T21:12:48.953\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \\\"directory listing\\\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"references\":[{\"url\":\"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303\",\"source\":\"emo@eclipse.org\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-11966\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-22T15:24:31.799457Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-22T15:25:55.166Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Sho Odagiri\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 2.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Eclipse Foundation\", \"product\": \"Vert.x\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.0.0\", \"lessThan\": \"4.5.22\", \"versionType\": \"maven\"}, {\"status\": \"affected\", \"version\": \"5.0.0\", \"lessThan\": \"5.0.5\", \"versionType\": \"maven\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-10-22T10:55:00.000Z\", \"references\": [{\"url\": \"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \\\"directory listing\\\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \\\"directory listing\\\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"shortName\": \"eclipse\", \"dateUpdated\": \"2025-10-22T14:44:24.145Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-11966\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-22T15:26:41.527Z\", \"dateReserved\": \"2025-10-20T14:50:01.166Z\", \"assignerOrgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"datePublished\": \"2025-10-22T14:44:24.145Z\", \"assignerShortName\": \"eclipse\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
RHSA-2026:0134
Vulnerability from csaf_redhat - Published: 2026-01-06 13:22 - Updated: 2026-01-19 03:56Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1.SP1 security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.27.1.SP1 includes the following CVE fixes:
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.27] (CVE-2025-66566)
* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.27] (CVE-2025-12183)
* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.27] (CVE-2025-11966)
For more information, see the release notes page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.27.1.SP1 includes the following CVE fixes:\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.27] (CVE-2025-66566)\n\n* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.27] (CVE-2025-12183)\n\n* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.27] (CVE-2025-11966)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0134",
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1.SP1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1.SP1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0134.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1.SP1 security update",
"tracking": {
"current_release_date": "2026-01-19T03:56:15+00:00",
"generator": {
"date": "2026-01-19T03:56:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0134",
"initial_release_date": "2026-01-06T13:22:25+00:00",
"revision_history": [
{
"date": "2026-01-06T13:22:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-06T13:22:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T03:56:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.27.1.SP1",
"product": {
"name": "Red Hat build of Quarkus 3.27.1.SP1",
"product_id": "Red Hat build of Quarkus 3.27.1.SP1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.27::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11966",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2025-10-22T15:01:24.122189+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405789"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) or a CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)vulnerability, and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices.\n\nSystem monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11966"
},
{
"category": "external",
"summary": "RHBZ#2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"release_date": "2025-10-22T14:44:24.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:22:25+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting"
},
{
"cve": "CVE-2025-12183",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-11-28T16:00:42.516514+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the \"fast\" decompressor.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability affects the \"fast\" decompressor, this is due to the fact such implementation relies on LZ4_decompress_fast API of the lz4 C library. This function was deprecated in the lz4 library as it misses boundary checks and is considered insecure when processing untrusted inputs.\nRed Hat has considered this vulnerability as having a security impact of Moderate as the attack may be considered of a high complexity, additionally when exploited the attacker doesn\u0027t have full control over the memory read and its content.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12183"
},
{
"category": "external",
"summary": "RHBZ#2417718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1",
"url": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1"
},
{
"category": "external",
"summary": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183",
"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183"
}
],
"release_date": "2025-11-28T15:52:56.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:22:25+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:22:25+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0134"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2026:0131
Vulnerability from csaf_redhat - Published: 2026-01-06 13:12 - Updated: 2026-01-19 03:56Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.20.4.SP1 security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 3.20.4.SP1 includes the following CVE fixes:
* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.20] (CVE-2025-66566)
* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.20] (CVE-2025-12183)
* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.20 (CVE-2025-11966)
For more information, see the release notes page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.20.4.SP1 includes the following CVE fixes:\n\n* lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing [quarkus-3.20] (CVE-2025-66566)\n\n* lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure [quarkus-3.20] (CVE-2025-12183)\n\n* vertx-web: Eclipse Vert.x cross site scripting [quarkus-3.20 (CVE-2025-11966)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:0131",
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.4.SP1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.4.SP1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_0131.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.20.4.SP1 security update",
"tracking": {
"current_release_date": "2026-01-19T03:56:13+00:00",
"generator": {
"date": "2026-01-19T03:56:13+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2026:0131",
"initial_release_date": "2026-01-06T13:12:23+00:00",
"revision_history": [
{
"date": "2026-01-06T13:12:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-01-13T15:04:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T03:56:13+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.20.4.SP1",
"product": {
"name": "Red Hat build of Quarkus 3.20.4.SP1",
"product_id": "Red Hat build of Quarkus 3.20.4.SP1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.20::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-11966",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2025-10-22T15:01:24.122189+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405789"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) or a CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)vulnerability, and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices.\n\nSystem monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11966"
},
{
"category": "external",
"summary": "RHBZ#2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"release_date": "2025-10-22T14:44:24.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:12:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting"
},
{
"cve": "CVE-2025-12183",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2025-11-28T16:00:42.516514+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2417718"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the \"fast\" decompressor.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability affects the \"fast\" decompressor, this is due to the fact such implementation relies on LZ4_decompress_fast API of the lz4 C library. This function was deprecated in the lz4 library as it misses boundary checks and is considered insecure when processing untrusted inputs.\nRed Hat has considered this vulnerability as having a security impact of Moderate as the attack may be considered of a high complexity, additionally when exploited the attacker doesn\u0027t have full control over the memory read and its content.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-12183"
},
{
"category": "external",
"summary": "RHBZ#2417718",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2417718"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-12183",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12183"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1",
"url": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1"
},
{
"category": "external",
"summary": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183",
"url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183"
}
],
"release_date": "2025-11-28T15:52:56.140000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:12:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure"
},
{
"cve": "CVE-2025-66566",
"cwe": {
"id": "CWE-908",
"name": "Use of Uninitialized Resource"
},
"discovery_date": "2025-12-05T19:00:50.134024+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2419500"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in lz4-java. This vulnerability allows disclosure of sensitive data via crafted compressed input due to insufficient clearing of the output buffer in Java-based decompressor implementations.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated IMPORTANT because it allows for information disclosure when Java-based decompressor implementations reuse output buffers without proper clearing, potentially exposing sensitive data via crafted compressed input. JNI-based implementations of lz4-java are not affected by this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-66566"
},
{
"category": "external",
"summary": "RHBZ#2419500",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419500"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-66566",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66566"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840",
"url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840"
},
{
"category": "external",
"summary": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q",
"url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q"
}
],
"release_date": "2025-12-05T18:10:16.470000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-06T13:12:23+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.20.4.SP1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:0131"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.20.4.SP1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing"
}
]
}
RHSA-2025:23417
Vulnerability from csaf_redhat - Published: 2025-12-16 23:13 - Updated: 2026-01-19 03:55Summary
Red Hat Security Advisory: Streams for Apache Kafka 3.1.0 release and security update
Notes
Topic
Streams for Apache Kafka 3.1.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 3.1.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.1, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Apache Kafka, Drain Cleaner, Bridge, Cruise Conreol, Proxy, Console: Netty's BrotliDecoder is vulnerable to DoS via zip bomb style attack"(CVE-2025-58057)"
* Apache Kafka, Proxy: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"(CVE-2025-58056)"
* Apache Kafka, Bridge, Drain Cleaner, Cruise Control, Console: Netty MadeYouReset HTTP/2 DDoS Vulnerability ("CVE-2025-55163")
* Apache Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion("CVE-2025-48924")
* Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout("CVE-2025-1634")
* Drain Cleaner, Console: Data leak vulnerability in io.quarkus:quarkus-vertx package ("CVE-2025-49574")
* Cruise Control: org.apache.kafka/kafka_2.13: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption (" CVE-2024-56128")
* Cruise Control: org.apache.kafka: Kafka Client Arbitrary File Read SSRF("CVE-2025-27817")
* Cruise Control: Kafka Clients Vulnerabiliy("CVE-2025-27819")
* Cruise Control: Kafka Clients Vulnerabiliy("CVE-2025-27818")
* Cruise Control, Console: io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw ("CVE-2025-11965")
* Cruise Control, Console: Vertx - Cross-site scripting (XSS) vulnerability ("CVE-2025-11966")
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Streams for Apache Kafka 3.1.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 3.1.0 serves as a replacement for Red Hat Streams for Apache Kafka 3.0.1, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Apache Kafka, Drain Cleaner, Bridge, Cruise Conreol, Proxy, Console: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack\"(CVE-2025-58057)\"\n* Apache Kafka, Proxy: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions\"(CVE-2025-58056)\"\n* Apache Kafka, Bridge, Drain Cleaner, Cruise Control, Console: Netty MadeYouReset HTTP/2 DDoS Vulnerability (\"CVE-2025-55163\")\n* Apache Kafka: org.apache.commons:commons-lang3 : Uncontrolled Recursion(\"CVE-2025-48924\")\n* Drain Cleaner: io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout(\"CVE-2025-1634\")\n* Drain Cleaner, Console: Data leak vulnerability in io.quarkus:quarkus-vertx package (\"CVE-2025-49574\")\n* Cruise Control: org.apache.kafka/kafka_2.13: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption (\" CVE-2024-56128\")\n* Cruise Control: org.apache.kafka: Kafka Client Arbitrary File Read SSRF(\"CVE-2025-27817\")\n* Cruise Control: Kafka Clients Vulnerabiliy(\"CVE-2025-27819\")\n* Cruise Control: Kafka Clients Vulnerabiliy(\"CVE-2025-27818\")\n* Cruise Control, Console: io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw (\"CVE-2025-11965\")\n* Cruise Control, Console: Vertx - Cross-site scripting (XSS) vulnerability (\"CVE-2025-11966\")",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:23417",
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2333013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
},
{
"category": "external",
"summary": "2347319",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"category": "external",
"summary": "2371365",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371365"
},
{
"category": "external",
"summary": "2371367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371367"
},
{
"category": "external",
"summary": "2371368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371368"
},
{
"category": "external",
"summary": "2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "2392996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
},
{
"category": "external",
"summary": "2393000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393000"
},
{
"category": "external",
"summary": "2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "2405820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405820"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_23417.json"
}
],
"title": "Red Hat Security Advisory: Streams for Apache Kafka 3.1.0 release and security update",
"tracking": {
"current_release_date": "2026-01-19T03:55:09+00:00",
"generator": {
"date": "2026-01-19T03:55:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.15"
}
},
"id": "RHSA-2025:23417",
"initial_release_date": "2025-12-16T23:13:43+00:00",
"revision_history": [
{
"date": "2025-12-16T23:13:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-16T23:13:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-01-19T03:55:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Streams for Apache Kafka 3.1.0",
"product": {
"name": "Streams for Apache Kafka 3.1.0",
"product_id": "Streams for Apache Kafka 3.1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:amq_streams:3.1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-56128",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2024-12-18T14:00:43.732728+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2333013"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Kafka\u0027s implementation of the Salted Challenge Response Authentication Mechanism (SCRAM), which did not fully adhere to the requirements of RFC 5802. Specifically, as per RFC 5802, the server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka\u0027s SCRAM implementation did not perform this validation. In environments where SCRAM is operated over plaintext communication channels, an attacker with access to the exchange can intercept and potentially reuse authentication messages, leveraging the weak nonce validation to gain unauthorized access.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is marked with an Important severity because it compromises a fundamental security requirement of the SCRAM protocol as specified in RFC 5802 \u2014the validation of nonces for ensuring message integrity and preventing replay attacks. Without proper nonce validation, an attacker with plaintext access to the SCRAM authentication exchange could manipulate or replay parts of the authentication process, potentially gaining unauthorized access or disrupting the integrity of authentication. While the use of plaintext communication for SCRAM is discouraged, many legacy systems or misconfigured deployments may still rely on it, making them directly susceptible.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-56128"
},
{
"category": "external",
"summary": "RHBZ#2333013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2333013"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-56128",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56128"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-56128",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56128"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc5802",
"url": "https://datatracker.ietf.org/doc/html/rfc5802"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc5802#section-9",
"url": "https://datatracker.ietf.org/doc/html/rfc5802#section-9"
},
{
"category": "external",
"summary": "https://kafka.apache.org/documentation/#security_sasl_scram_security",
"url": "https://kafka.apache.org/documentation/#security_sasl_scram_security"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw",
"url": "https://lists.apache.org/thread/84dh4so32lwn7wr6c5s9mwh381vx9wkw"
}
],
"release_date": "2024-12-18T13:38:03.068000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "kafka: Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption"
},
{
"cve": "CVE-2025-1634",
"cwe": {
"id": "CWE-401",
"name": "Missing Release of Memory after Effective Lifetime"
},
"discovery_date": "2025-02-24T14:17:31.237000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2347319"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is marked as and Important severity rather than Moderate because it allows an unauthenticated attacker to trigger a denial of service condition by repeatedly sending crafted HTTP requests with low timeouts. The issue leads to a memory leak that cannot be recovered without restarting the application, ultimately resulting in an OutOfMemoryError and complete service failure.\n\nIn a production environment, this vulnerability poses a significant risk to availability, especially for applications handling multiple concurrent requests. Since no mitigation exists, all applications using quarkus-resteasy are affected until patched. The ease of exploitation, lack of required privileges, and high impact on service uptime justify the high severity rating.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-1634"
},
{
"category": "external",
"summary": "RHBZ#2347319",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347319"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-1634",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1634"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-1634",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1634"
}
],
"release_date": "2025-02-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "io.quarkus:quarkus-resteasy: Memory Leak in Quarkus RESTEasy Classic When Client Requests Timeout"
},
{
"cve": "CVE-2025-11965",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"discovery_date": "2025-10-22T15:04:14.114397+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405820"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. \u0027.git/config\u0027).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-552: Files or Directories Accessible to External Parties vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform enforces strict Role-Based Access Control (RBAC), network segmentation, and pod security policies to limit external access pathways. Access is granted only after successful hard token, multi-factor authentication (MFA), with least privilege enforced to ensure only authorized users and roles can execute or manipulate code. Process isolation ensures that workloads are confined to their own containers and namespaces, preventing access to files or directories in other contexts, even in cases of misconfigured permissions. Additionally, file system activity is continuously monitored to detect unauthorized access attempts or anomalous behavior, enabling prompt investigation and remediation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11965"
},
{
"category": "external",
"summary": "RHBZ#2405820",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405820"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11965",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11965"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304"
}
],
"release_date": "2025-10-22T14:50:07.602000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-core: Eclipse Vert.x Access Control Flaw"
},
{
"cve": "CVE-2025-11966",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2025-10-22T15:01:24.122189+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2405789"
}
],
"notes": [
{
"category": "description",
"text": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) or a CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)vulnerability, and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices.\n\nSystem monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-11966"
},
{
"category": "external",
"summary": "RHBZ#2405789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2405789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-11966",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11966"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"release_date": "2025-10-22T14:44:24.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.vertx/vertx-web: Eclipse Vert.x cross site scripting"
},
{
"cve": "CVE-2025-27817",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2025-06-10T08:00:46.717358+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2371367"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in apache-kafka. The Kafka client improperly handles configuration data for SASL/OAUTHBEARER connections, allowing an attacker to specify a crafted token endpoint URL. This allows for arbitrary file reads and server-side request forgery (SSRF) by a malicious client. Consequently, this can allow an attacker to read arbitrary files on the Kafka broker or initiate requests to internal or external resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.apache.kafka: Kafka Client Arbitrary File Read SSRF",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw does not affect any Red Hat products.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27817"
},
{
"category": "external",
"summary": "RHBZ#2371367",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371367"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27817",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27817"
},
{
"category": "external",
"summary": "https://kafka.apache.org/cve-list",
"url": "https://kafka.apache.org/cve-list"
}
],
"release_date": "2025-06-10T07:55:14.422000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "To mitigate this flaw, explicitly set the allowed urls in SASL JAAS configuration using the system property \"-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls\".",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.apache.kafka: Kafka Client Arbitrary File Read SSRF"
},
{
"cve": "CVE-2025-27818",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-06-10T08:00:49.484918+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2371368"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in apache-kafka. This issue occurs due to improper handling of configuration data when using a Kafka client SASL JAAS, allowing an attacker with access to alterConfig for a cluster resource or Kafka Connect worker to inject arbitrary configuration. This injection can lead to the creation or modification of connectors with malicious configurations. Consequently, this can allow an attacker to compromise the integrity and availability of the Kafka cluster or Kafka Connect worker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-kafka: Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No Red Hat products are affected by this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27818"
},
{
"category": "external",
"summary": "RHBZ#2371368",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371368"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27818",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27818"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27818",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27818"
},
{
"category": "external",
"summary": "https://kafka.apache.org/cve-list",
"url": "https://kafka.apache.org/cve-list"
}
],
"release_date": "2025-06-10T07:52:31.778000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread \ninstallation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "apache-kafka: Apache Kafka: Possible RCE attack via SASL JAAS LdapLoginModule configuration"
},
{
"cve": "CVE-2025-27819",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-06-10T08:00:41.723005+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2371365"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.apache.kafka. The JndiLoginModule within the SASL authentication mechanism allows remote code execution and denial of service when misconfigured. This flaw allows an attacker to provide a malicious JNDI URI within the Kafka broker\u0027s configuration, permitting arbitrary code execution on the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No Red Hat products or offerings are affected by this vulnerability.\n\nThis vulnerability is categorized as Important rather than Moderate due to its potential to enable remote code execution (RCE) or denial of service (DoS) in a core component of Apache Kafka\u2014its brokers\u2014under certain but realistic conditions. While exploitation requires AlterConfigs permission and network access to the Kafka cluster, these privileges are commonly granted to administrative or automation accounts in real-world deployments. The core issue arises from unsafe JAAS configuration allowing the use of JndiLoginModule, which can trigger JNDI lookups and result in arbitrary code execution if a malicious LDAP or RMI server is referenced. Given Kafka\u0027s central role in data pipelines and real-time processing systems, a successful exploit could lead to a full cluster compromise, service disruption, or even lateral movement within a network.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27819"
},
{
"category": "external",
"summary": "RHBZ#2371365",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2371365"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27819",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27819"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27819",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27819"
},
{
"category": "external",
"summary": "https://kafka.apache.org/cve-list",
"url": "https://kafka.apache.org/cve-list"
}
],
"release_date": "2025-06-10T07:54:41.896000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "To mitigate this flaw, disable the problematic login module\u0027s usage in the SASL JAAS configuration using the system property, \"-Dorg.apache.kafka.disallowed.login.modules\".",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.apache.kafka: Kafka JNDI Login Module RCE Vulnerability"
},
{
"cve": "CVE-2025-48924",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2025-07-11T15:01:08.754489+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2379554"
}
],
"notes": [
{
"category": "description",
"text": "An uncontrolled recursion flaw was found in the Apache Commons Lang library. The ClassUtils.getClass(...) method can throw a StackOverflowError on very long inputs. Since this error is typically not handled by applications and libraries, a StackOverflowError may lead to the termination of an application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48924"
},
{
"category": "external",
"summary": "RHBZ#2379554",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2379554"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"release_date": "2025-07-11T14:56:58.049000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "commons-lang/commons-lang: org.apache.commons/commons-lang3: Uncontrolled Recursion vulnerability in Apache Commons Lang"
},
{
"cve": "CVE-2025-49574",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2025-06-23T20:00:57.216622+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2374376"
}
],
"notes": [
{
"category": "description",
"text": "A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "io.quarkus/quarkus-vertx: Quarkus potential data leak",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-49574"
},
{
"category": "external",
"summary": "RHBZ#2374376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-49574",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49574"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49574"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1",
"url": "https://github.com/quarkusio/quarkus/commit/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/issues/48227",
"url": "https://github.com/quarkusio/quarkus/issues/48227"
},
{
"category": "external",
"summary": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4",
"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-9623-mj7j-p9v4"
}
],
"release_date": "2025-06-23T19:47:05.454000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "io.quarkus/quarkus-vertx: Quarkus potential data leak"
},
{
"cve": "CVE-2025-55163",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2025-08-13T15:01:55.372237+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2388252"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-55163"
},
{
"category": "external",
"summary": "RHBZ#2388252",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
"url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
},
{
"category": "external",
"summary": "https://kb.cert.org/vuls/id/767506",
"url": "https://kb.cert.org/vuls/id/767506"
}
],
"release_date": "2025-08-13T14:17:36.111000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
},
{
"cve": "CVE-2025-58056",
"cwe": {
"id": "CWE-444",
"name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
},
"discovery_date": "2025-09-03T21:01:22.935850+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2392996"
}
],
"notes": [
{
"category": "description",
"text": "A flaw in Netty\u2019s HTTP/1.1 chunked encoding parser allows newline (LF) characters in chunk extensions to be incorrectly treated as the end of the chunk-size line instead of requiring the proper CRLF sequence. This discrepancy can be exploited in rare cases where a reverse proxy interprets the same input differently, potentially enabling HTTP request smuggling attacks such as bypassing access controls or corrupting responses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue is considered Moderate rather than Important because successful exploitation depends on a very specific deployment condition: the presence of an intermediary reverse proxy that both mishandles lone LF characters in chunk extensions and forwards them unmodified to Netty. By itself, Netty\u2019s parsing quirk does not introduce risk, and in most real-world environments, reverse proxies normalize or reject malformed chunked requests, preventing smuggling. As a result, the vulnerability has limited reach, requires a niche configuration to be exploitable, and does not universally expose Netty-based servers to request smuggling\u2014hence it is rated moderate in severity rather than important or critical.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nThe platform uses secure, encrypted HTTPS connections over TLS 1.2 to reduce the risk of smuggling attacks by preventing the injection of ambiguous or malformed requests between components. The environment employs IPS/IDS and antimalware solutions to detect and block malicious code while ensuring consistent interpretation of HTTP requests across network layers, mitigating request/response inconsistencies. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, enabling the detection of malformed or suspicious HTTP traffic. Static code analysis and peer reviews enforce strong input validation and error handling to ensure all user inputs adhere to HTTP protocol specifications.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58056"
},
{
"category": "external",
"summary": "RHBZ#2392996",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392996"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58056"
},
{
"category": "external",
"summary": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding",
"url": "https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding"
},
{
"category": "external",
"summary": "https://github.com/JLLeitschuh/unCVEed/issues/1",
"url": "https://github.com/JLLeitschuh/unCVEed/issues/1"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284",
"url": "https://github.com/netty/netty/commit/edb55fd8e0a3bcbd85881e423464f585183d1284"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/issues/15522",
"url": "https://github.com/netty/netty/issues/15522"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/pull/15611",
"url": "https://github.com/netty/netty/pull/15611"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49",
"url": "https://github.com/netty/netty/security/advisories/GHSA-fghv-69vj-qj49"
},
{
"category": "external",
"summary": "https://w4ke.info/2025/06/18/funky-chunks.html",
"url": "https://w4ke.info/2025/06/18/funky-chunks.html"
}
],
"release_date": "2025-09-03T20:56:50.732000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "To mitigate this issue, enforce strict RFC compliance on all front-end proxies and load balancers so that lone LF characters in chunk extensions are rejected or normalized before being forwarded. Additionally, configure input validation at the application or proxy layer to block malformed chunked requests, ensuring consistent parsing across all components in the request path.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec-http: Netty is vulnerable to request smuggling due to incorrect parsing of chunk extensions"
},
{
"cve": "CVE-2025-58057",
"cwe": {
"id": "CWE-409",
"name": "Improper Handling of Highly Compressed Data (Data Amplification)"
},
"discovery_date": "2025-09-03T22:00:48.401986+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2393000"
}
],
"notes": [
{
"category": "description",
"text": "Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty-codec: netty-codec-compression: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Streams for Apache Kafka 3.1.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-58057"
},
{
"category": "external",
"summary": "RHBZ#2393000",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2393000"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d",
"url": "https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d"
},
{
"category": "external",
"summary": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj",
"url": "https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj"
}
],
"release_date": "2025-09-03T21:46:49.928000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-16T23:13:43+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:23417"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Streams for Apache Kafka 3.1.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty-codec: netty-codec-compression: Netty\u0027s BrotliDecoder is vulnerable to DoS via zip bomb style attack"
}
]
}
GHSA-45P5-V273-3QQR
Vulnerability from github – Published: 2025-10-22 19:38 – Updated: 2025-10-22 19:38
VLAI?
Summary
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
Details
Description
- In the
StaticHandlerImpl#sendDirectoryListing(...)method under thetext/htmlbranch, file and directory names are directly embedded into thehref,title, and link text without proper HTML escaping. - As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
- Affected Code:
- File:
vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java - Lines:
- 709–713:
normalizedDiris constructed without escaping - 714–731:
<li><a ...>elements insert file names directly into attributes and body without escaping - 744: parent directory name construction
- 746–751:
{directory},{parent}, and{files}are inserted into the HTML template without escaping
- 709–713:
- File:
Reproduction Steps
-
Prerequisites:
- Directory listing is enabled using
StaticHandler
(e.g.,StaticHandler.create("public").setDirectoryListing(true)) - The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)
- Directory listing is enabled using
-
Create a malicious file name (example for Unix-based OS):
- Create an empty file in
public/with one of the following names: <img src=x onerror=alert('XSS')>.txt- Or attribute injection:
evil" onmouseover="alert('XSS')".txt - Example:
bash mkdir -p public printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"
- Create an empty file in
-
Start the server (example):
- Routing:
router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true)); - Server:
vertx.createHttpServer().requestHandler(router).listen(8890);
- Routing:
-
Verification request (raw HTTP):
GET /public/ HTTP/1.1 Host: 127.0.0.1:8890 Accept: text/html Connection: close -
Example response excerpt:
html <ul id="files"> <li> <a href="/public/<img src=x onerror=alert('XSS')>.txt" title="<img src=x onerror=alert('XSS')>.txt"> <img src=x onerror=alert('XSS')>.txt </a> </li> ... </ul> -
When accessing
/public/in a browser, the unescaped file name is interpreted as HTML, and event handlers such asonerrorare executed.
Potential Impact
-
Stored XSS
- Arbitrary JavaScript executes in the browser context of users viewing the listing page
- Possible consequences:
- Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
- Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
- Watering hole attacks, including malware distribution or malicious script injection to other pages
-
Common Conditions That Make Exploitation Easier
- Uploaded files are served directly under a publicly accessible directory
- Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
- ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments
Similar CVEs Previously Reported
- CVE‑2024‑32966
- CVE‑2019‑15603
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-web"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.0.4"
},
"package": {
"ecosystem": "Maven",
"name": "io.vertx:vertx-web"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-11966"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-22T19:38:11Z",
"nvd_published_at": "2025-10-22T15:15:31Z",
"severity": "LOW"
},
"details": "# Description\n\n- In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping.\n- As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.\n- Affected Code:\n - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java`\n - Lines:\n - 709\u2013713: `normalizedDir` is constructed without escaping\n - 714\u2013731: `\u003cli\u003e\u003ca ...\u003e` elements insert file names directly into attributes and body without escaping\n - 744: parent directory name construction\n - 746\u2013751: `{directory}`, `{parent}`, and `{files}` are inserted into the HTML template without escaping\n\n# Reproduction Steps\n\n1. Prerequisites:\n - Directory listing is enabled using `StaticHandler` \n (e.g., `StaticHandler.create(\"public\").setDirectoryListing(true)`)\n - The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)\n\n2. Create a malicious file name (example for Unix-based OS):\n - Create an empty file in `public/` with one of the following names:\n - `\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt`\n - Or attribute injection: `evil\" onmouseover=\"alert(\u0027XSS\u0027)\".txt`\n - Example:\n ```bash\n mkdir -p public\n printf \u0027test\u0027 \u003e \"public/\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\n ```\n\n3. Start the server (example):\n - Routing: `router.route(\"/public/*\").handler(StaticHandler.create(\"public\").setDirectoryListing(true));`\n - Server: `vertx.createHttpServer().requestHandler(router).listen(8890);`\n\n4. Verification request (raw HTTP):\n ```\n GET /public/ HTTP/1.1\n Host: 127.0.0.1:8890\n Accept: text/html\n Connection: close\n ```\n\n5. Example response excerpt:\n ```html\n \u003cul id=\"files\"\u003e\n \u003cli\u003e\n \u003ca href=\"/public/\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\n title=\"\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\u003e\n \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\n \u003c/a\u003e\n \u003c/li\u003e\n ...\n \u003c/ul\u003e\n ```\n\n- When accessing `/public/` in a browser, the unescaped file name is interpreted as HTML, and event handlers such as `onerror` are executed.\n\n# Potential Impact\n\n- **Stored XSS**\n - Arbitrary JavaScript executes in the browser context of users viewing the listing page\n - Possible consequences:\n - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens\n - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)\n - Watering hole attacks, including malware distribution or malicious script injection to other pages\n\n- **Common Conditions That Make Exploitation Easier**\n - Uploaded files are served directly under a publicly accessible directory\n - Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed\n - ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments\n\n# Similar CVEs Previously Reported\n\n- CVE\u20112024\u201132966 \n- CVE\u20112019\u201115603",
"id": "GHSA-45p5-v273-3qqr",
"modified": "2025-10-22T19:38:11Z",
"published": "2025-10-22T19:38:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-45p5-v273-3qqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
},
{
"type": "PACKAGE",
"url": "https://github.com/vert-x3/vertx-web"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names"
}
FKIE_CVE-2025-11966
Vulnerability from fkie_nvd - Published: 2025-10-22 15:15 - Updated: 2025-10-22 21:12
Severity ?
Summary
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing."
}
],
"id": "CVE-2025-11966",
"lastModified": "2025-10-22T21:12:48.953",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "emo@eclipse.org",
"type": "Secondary"
}
]
},
"published": "2025-10-22T15:15:31.730",
"references": [
{
"source": "emo@eclipse.org",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
}
],
"sourceIdentifier": "emo@eclipse.org",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
}
],
"source": "emo@eclipse.org",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…