N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11966

GHSA ID

GHSA-45p5-v273-3qqr

EPSS Score

CWE

CWE-79

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11966

CVE-2025-11966: Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Description

In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
Affected Code:
- File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
- Lines:
  - 709–713: normalizedDir is constructed without escaping
  - 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
  - 744: parent directory name construction
  - 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

Reproduction Steps

Prerequisites:
- Directory listing is enabled using StaticHandler
  (e.g., StaticHandler.create("public").setDirectoryListing(true))
- The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)
Create a malicious file name (example for Unix-based OS):
- Create an empty file in public/ with one of the following names:
  - <img src=x onerror=alert('XSS')>.txt
  - Or attribute injection: evil" onmouseover="alert('XSS')".txt
- Example:
```
mkdir -p public
printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"
```

Miggo Vulnerability Database

→

CVE-2025-11966

CVE-2025-11966:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11966

GHSA ID

GHSA-45p5-v273-3qqr

EPSS Score

CWE

CWE-79

Published

10/22/2025

Updated

10/22/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.vertx:vertx-web	maven	< 4.5.22	4.5.22
io.vertx:vertx-web	maven	>= 5.0.0, <= 5.0.4	5.0.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the sendDirectoryListing method of the StaticHandlerImpl class. The provided vulnerability description explicitly points to this method and the lack of HTML escaping for file names when generating directory listings. To confirm this, I analyzed the commits that patched the vulnerability in versions 4.5.22 and 5.0.5 of vertx-web. The commits f2dbc2a364e6dddcfe50f1dd66d27b8b3e715368 and 121d09c1c34ff23f16d0df63b988579ca9f3f970 clearly show the fix. Before the patch, the file variable (containing the filename) was concatenated directly into the HTML string. The patch introduces calls to Utils.encodeUriPath for the href attribute and Utils.escapeHTML for the title attribute and the link text. This prevents the browser from interpreting malicious file names as code. Therefore, the sendDirectoryListing function is the exact location of the vulnerability, as it is responsible for processing the untrusted file names and generating the unsafe HTML output.

Vulnerable functions

io.vertx.ext.web.handler.impl.StaticHandlerImpl.sendDirectoryListing

vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java

The `sendDirectoryListing` function is vulnerable to stored XSS because it constructs an HTML directory listing by directly embedding file names into the `href` and `title` attributes of an `<a>` tag, as well as the link text itself, without proper HTML escaping or URL encoding. An attacker who can create files with malicious names (e.g., containing HTML and JavaScript) on the file system can cause that code to be executed in the browser of any user who views the directory listing.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-11966: Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Description

Reproduction Steps

CVE-2025-11966:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-11966: Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Description

Reproduction Steps

Potential Impact

Similar CVEs Previously Reported

N/A

N/A

Technical Details

Basic Information

Basic Information

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-11966: Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Description

Reproduction Steps

CVE-2025-11966:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-11966: Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Description

Reproduction Steps

Potential Impact

Similar CVEs Previously Reported

N/A

N/A

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI