GHSA-cphf-4846-3xx9

Source

https://github.com/advisories/GHSA-cphf-4846-3xx9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-cphf-4846-3xx9/GHSA-cphf-4846-3xx9.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-cphf-4846-3xx9

Aliases

CVE-2026-1002

Downstream

MINI-fwp4-6ph3-w3qq

MINI-r3p4-6j3q-65jq

Published

2026-01-15T21:31:48Z

Modified

2026-01-15T23:11:30.469666Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator

Summary

Vert.x Web static handler component cache can be manipulated to deny the access to static files

Details

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.

The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895

Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html

Mitgation Disabling Static Handler cache fixes the issue.

StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Database specific

{
    "cwe_ids": [
        "CWE-444"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-01-15T22:51:27Z",
    "github_reviewed": true,
    "nvd_published_at": "2026-01-15T21:16:05Z"
}

References

Affected packages

Maven / io.vertx:vertx-core

Package

Name: io.vertx:vertx-core; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.5.24

Affected versions

2.*

2.0.0-beta1

2.0.0-beta2

2.0.0-beta3

2.0.0-beta4

2.0.0-beta5

2.0.0-CR1

2.0.0-CR2

2.0.0-CR3

2.0.0-final

2.0.1-final

2.0.2-final

2.1M1

2.1M2

2.1M3

2.1M4

2.1M5

2.1RC1

2.1RC2

2.1RC3

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

3.*

3.0.0-milestone2

3.0.0-milestone3

3.0.0-milestone4

3.0.0-milestone5

3.0.0-milestone6

3.0.0

3.0.0-dev_preview1

3.1.0

3.2.0

3.2.1

3.3.0.CR1

3.3.0.CR2

3.3.0

3.3.1

3.3.2

3.3.3

3.4.0.Beta1

3.4.0

3.4.1

3.4.2

3.5.0.Beta1

3.5.0

3.5.1

3.5.2.CR1

3.5.2.CR2

3.5.2.CR3

3.5.2

3.5.3.CR1

3.5.3

3.5.4

3.6.0.CR1

3.6.0.CR2

3.6.0

3.6.1

3.6.2

3.6.3

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2

3.8.3

3.8.4

3.8.5

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

3.9.6

3.9.7

3.9.8

3.9.9

3.9.10

3.9.11

3.9.12

3.9.13

3.9.14

3.9.15

3.9.16

4.*

4.0.0-milestone1

4.0.0-milestone2

4.0.0-milestone3

4.0.0-milestone4

4.0.0-milestone5

4.0.0.Beta1

4.0.0.Beta2

4.0.0.Beta3

4.0.0.CR1

4.0.0.CR2

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0.Beta1

4.1.0.CR1

4.1.0.CR2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0.Beta1

4.2.0.CR1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

4.3.8

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.7

4.4.8

4.4.9

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.12

4.5.13

4.5.14

4.5.15

4.5.16

4.5.17

4.5.18

4.5.19

4.5.20

4.5.21

4.5.22

4.5.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-cphf-4846-3xx9/GHSA-cphf-4846-3xx9.json"