CVE-2025-11966: Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

(updated )

  • In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
  • As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
  • Affected Code:
  • File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
  • Lines:
  • 709–713: normalizedDir is constructed without escaping
  • 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
  • 744: parent directory name construction
  • 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

References

Code Behaviors & Features

Detect and mitigate CVE-2025-11966 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →