io.vertx:vertx-web 4.0.0-milestone1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the io.vertx:vertx-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Files or Directories Accessible to External Parties io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via improper handling of hidden directories in the `StaticHandler` implementation when the `setIncludeHidden(false)` configuration is set. An attacker can access sensitive files within hidden directories by directly requesting their paths, potentially exposing confidential information like credentials, configuration files, or source code. How to fix Files or Directories Accessible to External Parties? Upgrade `io.vertx:vertx-web` to version 4.5.22, 5.0.5 or higher.	[,4.5.22)[5.0.0.CR1,5.0.5)
L Cross-site Scripting (XSS) io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `sendDirectoryListing` in `StaticHandlerImpl.java`. An attacker can execute arbitrary JavaScript in the browser context of users viewing the directory listing page by creating files with specially crafted names that are rendered without proper HTML escaping. Notes: Successful exploitation requires directory listing to be enabled using StaticHandler (e.g., `StaticHandler.create("public").setDirectoryListing(true)`) The attacker requires the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory) How to fix Cross-site Scripting (XSS)? Upgrade `io.vertx:vertx-web` to version 4.5.22, 5.0.5 or higher.	[,4.5.22)[5.0.0.CR1,5.0.5)
H Cross-site Request Forgery (CSRF) io.vertx:vertx-web is a HTTP web applications for Vert.x. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). Vert.x-Web framework does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack. How to fix Cross-site Request Forgery (CSRF)? Upgrade `io.vertx:vertx-web` to version 4.0.0-milestone5 or higher.	[4.0.0-milestone1,4.0.0-milestone5)

Vulnerability

Vulnerable Version

Files or Directories Accessible to External Parties

io.vertx:vertx-web is a HTTP web applications for Vert.x.

Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via improper handling of hidden directories in the StaticHandler implementation when the setIncludeHidden(false) configuration is set. An attacker can access sensitive files within hidden directories by directly requesting their paths, potentially exposing confidential information like credentials, configuration files, or source code.

How to fix Files or Directories Accessible to External Parties?

Upgrade io.vertx:vertx-web to version 4.5.22, 5.0.5 or higher.

[,4.5.22)[5.0.0.CR1,5.0.5)

Cross-site Scripting (XSS)

io.vertx:vertx-web is a HTTP web applications for Vert.x.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the sendDirectoryListing in StaticHandlerImpl.java. An attacker can execute arbitrary JavaScript in the browser context of users viewing the directory listing page by creating files with specially crafted names that are rendered without proper HTML escaping.

Notes:

Successful exploitation requires directory listing to be enabled using StaticHandler (e.g., StaticHandler.create("public").setDirectoryListing(true))
The attacker requires the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)

How to fix Cross-site Scripting (XSS)?

Upgrade io.vertx:vertx-web to version 4.5.22, 5.0.5 or higher.

[,4.5.22)[5.0.0.CR1,5.0.5)

Cross-site Request Forgery (CSRF)

io.vertx:vertx-web is a HTTP web applications for Vert.x.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). Vert.x-Web framework does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade io.vertx:vertx-web to version 4.0.0-milestone5 or higher.

[4.0.0-milestone1,4.0.0-milestone5)

io.vertx:vertx-web@4.0.0-milestone1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically