6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-12541

GHSA ID

GHSA-45xm-v8gq-7jqx

EPSS Score

0.79101%

CWE

CWE-119

Published

10/17/2018

Updated

3/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-12541

CVE-2018-12541: Excessive memory allocation

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http request before doing the handshake, holding the entire request body in memory. There should be a reasonnable limit (8192 bytes) above which the WebSocket gets an HTTP response with the 413 status code and the connection gets closed.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2018-12541

GHSA ID

GHSA-45xm-v8gq-7jqx

EPSS Score

0.79101%

CWE

CWE-119

Published

10/17/2018

Updated

3/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.vertx:vertx-core	maven	>= 3.0.0, < 3.5.4	3.5.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how WebSocket HTTP upgrade requests were handled. The pre-patch implementation in HttpServerImpl.java's handleMessage() method wrote all incoming HttpContent chunks into a buffer without checking accumulated size. This allowed unbounded memory consumption during WebSocket handshakes. The GitHub commit shows the fix added a 8192-byte limit check in this method, and the CVE description explicitly references this buffering behavior as the flaw. The test case added in WebsocketTest.java confirms the 413 response logic was missing before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In v*rsion *rom *.*.* to *.*.* o* **lips* V*rt.x, t** W**So*k*t *TTP up*r*** impl*m*nt*tion *u***rs t** *ull *ttp r*qu*st ***or* *oin* t** **n*s**k*, *ol*in* t** *ntir* r*qu*st *o*y in m*mory. T**r* s*oul* ** * r**sonn**l* limit (**** *yt*s) **ov* w*

Reasoning

T** vuln*r**ility st*ms *rom *ow W**So*k*t *TTP up*r*** r*qu*sts w*r* **n*l**. T** pr*-p*t** impl*m*nt*tion in `*ttpS*rv*rImpl.j*v*`'s `**n*l*M*ss***()` m*t*o* wrot* *ll in*omin* `*ttp*ont*nt` **unks into * *u***r wit*out ****kin* ***umul*t** siz*. T

6.5

Basic Information

Concerned about an active attack path?

CVE-2018-12541: Excessive memory allocation

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI