Stored Cross-Site Scripting in Eclipse Vert.x Due to Improper Escaping
CVE-2025-11966

2.3LOW

Key Information:

Vendor: Eclipse Foundation
Status: Vert.x
Vendor: CVE Published:; 22 October 2025

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2025-11966?

A stored cross-site scripting vulnerability exists in Eclipse Vert.x versions 4.0.0 to 4.5.21 and 5.0.0 to 5.0.4, triggered when directory listing is enabled. The vulnerability arises from improper escaping of file and directory names inserted into generated HTML, allowing an attacker who can manipulate files within the served path to inject malicious scripts. These scripts execute in the context of users accessing the directory, potentially compromising sensitive information and user sessions.

Affected Version(s)

Vert.x 4.0.0 < 4.5.22

Vert.x 5.0.0 < 5.0.5

References

https://gitlab.eclipse.org/security/vulnerability-reports...

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2025
Vulnerability Reserved
Oct 20, 2025

Credit

Sho Odagiri

JSON