How severe is GHSA-45p5-v273-3qqr?

GHSA-45p5-v273-3qqr has a CVSS score of 4.9/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-45p5-v273-3qqr?

GHSA-45p5-v273-3qqr affects the following packages: io.vertx:vertx-web (Maven), io.vertx:vertx-web (Maven). Ecosystems affected: Maven.

How do I fix GHSA-45p5-v273-3qqr?

Update io.vertx:vertx-web to 4.5.22 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-45p5-v273-3qqr is resolved across your whole dependency graph.

How do I detect GHSA-45p5-v273-3qqr in my Maven dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.vertx:vertx-web. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-45p5-v273-3qqr if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-45p5-v273-3qqr?

O3 pinpoints whether GHSA-45p5-v273-3qqr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-45p5-v273-3qqr actively exploited in the wild?

No public exploit code has been indexed for GHSA-45p5-v273-3qqr yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-45p5-v273-3qqr?

GHSA-45p5-v273-3qqr has an EPSS (Exploit Prediction Scoring System) score of 0.3%, placing it in the 18th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-45p5-v273-3qqr?

GHSA-45p5-v273-3qqr is classified as Cross-site Scripting (XSS) (CWE-79), CWE-80 (CWE-80). These weakness types describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-45p5-v273-3qqr published, and has it been updated?

GHSA-45p5-v273-3qqr was published on October 22, 2025 and was last updated on February 4, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

☕ Maven

GHSA-45p5-v273-3qqr

MEDIUM

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Also known asCVE-2025-11966

Published

Oct 22, 2025

Updated

Feb 4, 2026

Affected

2 pkgs

Patched

2 / 2

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.3%probability of exploitation in next 30 days

Lower Risk18th percentile+0.24%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected

☕io.vertx:vertx-web☕io.vertx:vertx-web

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
Affected Code:
- File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
- Lines:
  - 709–713: normalizedDir is constructed without escaping
  - 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
  - 744: parent directory name construction
  - 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

Reproduction Steps

Prerequisites:
- Directory listing is enabled using StaticHandler
  (e.g., StaticHandler.create("public").setDirectoryListing(true))
- The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)
Create a malicious file name (example for Unix-based OS):
- Create an empty file in public/ with one of the following names:
  - <img src=x onerror=alert('XSS')>.txt
  - Or attribute injection: evil" onmouseover="alert('XSS')".txt
- Example:
```
mkdir -p public
printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"
```
Start the server (example):
- Routing: router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true));
- Server: vertx.createHttpServer().requestHandler(router).listen(8890);

Verification request (raw HTTP):

GET /public/ HTTP/1.1
Host: 127.0.0.1:8890
Accept: text/html
Connection: close

Example response excerpt:

<ul id="files">
  <li>
    <a href="/public/<img src=x onerror=alert('XSS')>.txt"
       title="<img src=x onerror=alert('XSS')>.txt">
       <img src=x onerror=alert('XSS')>.txt
    </a>
  </li>
  ...
</ul>

When accessing /public/ in a browser, the unescaped file name is interpreted as HTML, and event handlers such as onerror are executed.

Potential Impact

Stored XSS
- Arbitrary JavaScript executes in the browser context of users viewing the listing page
- Possible consequences:
  - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
  - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
  - Watering hole attacks, including malware distribution or malicious script injection to other pages
Common Conditions That Make Exploitation Easier
- Uploaded files are served directly under a publicly accessible directory
- Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
- ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments

Similar CVEs Previously Reported

CVE‑2024‑32966
CVE‑2019‑15603

Affected Packages

2 total 2 fixed

Ecosystem	Package	Vulnerable range	Fix
☕Maven	`io.vertx:vertx-web`	all versions	4.5.22
☕Maven	`io.vertx:vertx-web`	≥ 5.0.0&&< 5.0.5	5.0.5

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for io.vertx:vertx-web. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update io.vertx:vertx-web to 4.5.22 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-45p5-v273-3qqr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-45p5-v273-3qqr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-45p5-v273-3qqr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# Description - In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping. - As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS. - Affected Code: - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java` - Lines: - 709–713: `normalizedDir` is constructed without escaping - 7

O3 Security · Impact-Aware SCA

Is GHSA-45p5-v273-3qqr in your dependencies?

O3 detects GHSA-45p5-v273-3qqr across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-45p5-v273-3qqr

EPSS Exploitation Probability

Blast Radius

Description

Description

Reproduction Steps

Potential Impact

Similar CVEs Previously Reported

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-45p5-v273-3qqr in your dependencies?