Exposure of Resource to Wrong Sphere Affecting io.vertx:vertx-core package, versions [4.5.12, 4.5.16)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.02% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-IOVERTX-10495500
  • published24 Jun 2025
  • disclosed23 Jun 2025
  • creditMarkus Dlugi

Introduced: 23 Jun 2025

NewCVE-2025-49574  (opens in a new tab)
CWE-668  (opens in a new tab)

How to fix?

Upgrade io.vertx:vertx-core to version 4.5.16 or higher.

Overview

io.vertx:vertx-core is a tool-kit for building reactive applications on the JVM.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the duplicated context process. An attacker can access sensitive data from another transaction by triggering the duplication of an already duplicated context.

Note:

Duplicating a duplicated context is rather rare and is only done in a few places:

  • Quarkus REST Client when using OTel (but it's the same transaction, so no leak)
  • Quarkus Messaging connectors
  • Quarkus SmallRye Health (same transaction, so no leak)

Workaround

When duplicating a duplicated context, the following code can be done to avoid the potential leak:

((ContextInternal) VertxContext.getRootContext(ctx)).duplicate()

CVSS Base Scores

version 4.0
version 3.1