GHSA-45P5-V273-3QQR

Vulnerability from github – Published: 2025-10-22 19:38 – Updated: 2026-01-21 16:37
VLAI
Summary
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
Details

Description

  • In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
  • As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
  • Affected Code:
    • File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
    • Lines:
      • 709–713: normalizedDir is constructed without escaping
      • 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
      • 744: parent directory name construction
      • 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

Reproduction Steps

  1. Prerequisites:

    • Directory listing is enabled using StaticHandler
      (e.g., StaticHandler.create("public").setDirectoryListing(true))
    • The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)

  2. Create a malicious file name (example for Unix-based OS):

    • Create an empty file in public/ with one of the following names:
    • <img src=x onerror=alert('XSS')>.txt
    • Or attribute injection: evil" onmouseover="alert('XSS')".txt
    • Example: bash mkdir -p public printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"

  3. Start the server (example):

    • Routing: router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true));
    • Server: vertx.createHttpServer().requestHandler(router).listen(8890);

  4. Verification request (raw HTTP): GET /public/ HTTP/1.1 Host: 127.0.0.1:8890 Accept: text/html Connection: close

  5. Example response excerpt: html <ul id="files"> <li> <a href="/public/<img src=x onerror=alert('XSS')>.txt" title="<img src=x onerror=alert('XSS')>.txt"> <img src=x onerror=alert('XSS')>.txt </a> </li> ... </ul>

  6. When accessing /public/ in a browser, the unescaped file name is interpreted as HTML, and event handlers such as onerror are executed.

Potential Impact

  • Stored XSS

    • Arbitrary JavaScript executes in the browser context of users viewing the listing page
    • Possible consequences:
      • Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
      • Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
      • Watering hole attacks, including malware distribution or malicious script injection to other pages

  • Common Conditions That Make Exploitation Easier

    • Uploaded files are served directly under a publicly accessible directory
    • Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
    • ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments

Similar CVEs Previously Reported

  • CVE‑2024‑32966
  • CVE‑2019‑15603
Severity
4.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
2.3 (Low)
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-11966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-22T19:38:11Z",
    "nvd_published_at": "2025-10-22T15:15:31Z",
    "severity": "LOW"
  },
  "details": "# Description\n\n- In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping.\n- As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.\n- Affected Code:\n    - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java`\n    - Lines:\n        - 709\u2013713: `normalizedDir` is constructed without escaping\n        - 714\u2013731: `\u003cli\u003e\u003ca ...\u003e` elements insert file names directly into attributes and body without escaping\n        - 744: parent directory name construction\n        - 746\u2013751: `{directory}`, `{parent}`, and `{files}` are inserted into the HTML template without escaping\n\n# Reproduction Steps\n\n1. Prerequisites:\n    - Directory listing is enabled using `StaticHandler`  \n      (e.g., `StaticHandler.create(\"public\").setDirectoryListing(true)`)\n    - The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)\n\n2. Create a malicious file name (example for Unix-based OS):\n    - Create an empty file in `public/` with one of the following names:\n      - `\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt`\n      - Or attribute injection: `evil\" onmouseover=\"alert(\u0027XSS\u0027)\".txt`\n    - Example:\n      ```bash\n      mkdir -p public\n      printf \u0027test\u0027 \u003e \"public/\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\n      ```\n\n3. Start the server (example):\n    - Routing: `router.route(\"/public/*\").handler(StaticHandler.create(\"public\").setDirectoryListing(true));`\n    - Server: `vertx.createHttpServer().requestHandler(router).listen(8890);`\n\n4. Verification request (raw HTTP):\n    ```\n    GET /public/ HTTP/1.1\n    Host: 127.0.0.1:8890\n    Accept: text/html\n    Connection: close\n    ```\n\n5. Example response excerpt:\n    ```html\n    \u003cul id=\"files\"\u003e\n      \u003cli\u003e\n        \u003ca href=\"/public/\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\n           title=\"\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\u003e\n           \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\n        \u003c/a\u003e\n      \u003c/li\u003e\n      ...\n    \u003c/ul\u003e\n    ```\n\n- When accessing `/public/` in a browser, the unescaped file name is interpreted as HTML, and event handlers such as `onerror` are executed.\n\n# Potential Impact\n\n- **Stored XSS**\n    - Arbitrary JavaScript executes in the browser context of users viewing the listing page\n    - Possible consequences:\n        - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens\n        - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)\n        - Watering hole attacks, including malware distribution or malicious script injection to other pages\n\n- **Common Conditions That Make Exploitation Easier**\n    - Uploaded files are served directly under a publicly accessible directory\n    - Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed\n    - ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments\n\n# Similar CVEs Previously Reported\n\n- CVE\u20112024\u201132966  \n- CVE\u20112019\u201115603",
  "id": "GHSA-45p5-v273-3qqr",
  "modified": "2026-01-21T16:37:06Z",
  "published": "2025-10-22T19:38:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-45p5-v273-3qqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vert-x3/vertx-web"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.