Eclipse Vert X
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Eclipse Vert X.
By the Year
In 2026 there have been 0 vulnerabilities in Eclipse Vert X. Last year, in 2025 Vert X had 2 security vulnerabilities published. Right now, Vert X is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 0.00 |
| 2024 | 1 | 7.50 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 4 | 7.60 |
It may take a day or so for new Vert X vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Eclipse Vert X Security Vulnerabilities
Eclipse Vert.x StaticHandler flaw: hidden dirs not blocked v4.0.0-5.0.4
CVE-2025-11965
- October 22, 2025
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
Files or Directories Accessible to External Parties
Stored XSS via Unescaped Filenames in Vert.x Directory Listing (4.0-5.0)
CVE-2025-11966
- October 22, 2025
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
XSS
Eclipse Vert.x gRPC Server/Client Payload Length Unbounded (4.3.0-4.5.9)
CVE-2024-8391
7.5 - High
- September 04, 2024
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GAV: io.vertx:vertx-grpc-server and io.vertx:vertx-grpc-client). This is fixed in the 4.5.10 version. Note this does not affect the Vert.x gRPC server based grpc-java and Netty libraries (Maven GAV: io.vertx:vertx-grpc)
Allocation of Resources Without Limits or Throttling
In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems
CVE-2019-17640
- October 15, 2020
In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory.
Relative Path Traversal
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x
CVE-2018-12541
6.5 - Medium
- October 10, 2018
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.
Buffer Overflow
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x
CVE-2018-12544
9.8 - Critical
- October 10, 2018
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking appropriate defense against XML attacks. This mechanism is exclusively when the developer uses the Eclipse Vert.x OpenAPI XML type validator to validate a provided schema.
XXE
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters
CVE-2018-12537
5.3 - Medium
- August 14, 2018
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
Improper Input Validation
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert
CVE-2018-12540
8.8 - High
- July 12, 2018
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issued tokens which are not expired yet.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Eclipse Vert X or by Eclipse? Click the Watch button to subscribe.
