Io.vertx:vertx-web

This hub aggregates every CVE we track for Io.vertx:vertx-web, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 7 most recently published vulnerabilities affecting Io.vertx:vertx-web.

• CVE-2025-11965In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthor...7.5Oct 22, 2025
• CVE-2025-11966In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, ti...6.4Oct 22, 2025
• CVE-2023-24815Disclosure of classpath resources on Windows when mounted on a wildcard route in vertx-web4.8Feb 9, 2023
• CVE-2020-35217Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF toke...8.8Jan 20, 2021
• CVE-2019-17640In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't corre...9.8Oct 15, 2020
• CVE-2018-12542In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\'...9.8Oct 10, 2018
• CVE-2018-12540In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returned XSRF header/form parameter. This allows replay attacks with previously issu...8.8Jul 12, 2018