eclipse-vertx/vert.x

eclipse-vertx/vert.x

Releases217

Frequency3 weeks 3 days

Last Release about 23 hours ago

Stars14.7K

Vert.x is a tool-kit for building reactive applications on the JVM

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-6860 ↗	May 6, 2026Wednesday, 6 May 2026, 10:16	5.3 MEDIUM	—
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
CVE-2026-1002 ↗	Jan 15, 2026Thursday, 15 January 2026, 21:16	5.3 MEDIUM	—
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);
CVE-2024-1023 ↗	Mar 27, 2024Wednesday, 27 March 2024, 08:15	6.5 MEDIUM	—
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
CVE-2018-12541 ↗	Oct 10, 2018Wednesday, 10 October 2018, 20:29	6.5 MEDIUM	4 MEDIUM
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.
CVE-2018-12537 ↗	Aug 14, 2018Tuesday, 14 August 2018, 19:29	—	5 MEDIUM
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.