Vertx-Web, Stored Cross-site Scripting, CVE-2025-XXXXX (Low)

How the mentioned CVE works:

The vulnerability exists within the `StaticHandlerImplsendDirectoryListing` method when generating directory listings in HTML format. File and directory names, taken directly from the filesystem, are embedded into the generated HTML without proper contextual escaping. Specifically, the normalized directory path and individual file names are inserted into `href` and “ attributes, as well as the link text body, of `` tags within `

` elements. When a user navigates to a directory listing containing a file with a malicious name, such as one containing HTML event handlers, the browser interprets the unescaped input as part of the DOM. This allows for the execution of arbitrary JavaScript in the context of the victim’s session with the Vert.x-web server.
Platform: Vert.x-Web
Version: <4.5.22, 5.0.0-5.0.4

Vulnerability : Stored XSS

Severity: Low

date: 2024-10-22

Prediction: 2024-11-05

What Undercode Say:

find ./public -name "<" -type f

// Malicious filename example
String fileName = "<img src=x onerror=alert(1)>.txt";
Files.createFile(Paths.get("public", fileName));

// Vulnerable code pattern (simplified)
String fileListHtml = "<li><a href=\"" + rawFileName + "\" =\"" + rawFileName + "\">" + rawFileName + "</a></li>";
output.write(fileListHtml);

How Exploit:

Create malicious filename.

Enable directory listing.

User visits listing page.

Script executes automatically.

Protection from this CVE

Upgrade to patched versions: 4.5.22, 5.0.5.

Disable directory listing.

Implement output encoding.

Impact:

Stored Cross-site Scripting.

Session hijacking potential.

Low severity rating.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin

Listen to this Post