CVE-2026-1002
January 15, 2026
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.
The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895
Steps to reproduce
Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html
Mitgation
Disabling Static Handler cache fixes the issue.
StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);
Affected Packages
https://github.com/eclipse-vertx/vert.x.git (GITHUB):
Affected version(s) >=3.0.0 <4.5.24Fix Suggestion:
Update to version 4.5.24io.vertx:vertx-core (JAVA):
Affected version(s) >=2.0.0-beta1 <4.5.24Fix Suggestion:
Update to version 4.5.24io.vertx:vertx-core (JAVA):
Affected version(s) >=5.0.0.CR1 <5.0.7Fix Suggestion:
Update to version 5.0.7io.vertx:vertx-core (JAVA):
Affected version(s) >=2.0.0-beta1 <4.5.24Fix Suggestion:
Update to version 4.5.24Related ResourcesĀ (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
LOW
CVSS v3
Base Score:
5.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
EPSS
Base Score:
0.02
