Bug 2405789 (CVE-2025-11966)

Summary: CVE-2025-11966 io.vertx/vertx-web: Eclipse Vert.x cross site scripting
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, anstephe, aprice, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, caswilli, ccranfor, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drosa, dsimansk, eaguilar, ebaron, eric.wittmann, fmariani, fmongiar, ggrzybek, gmalinko, gsmet, gtanzill, ibek, istudens, ivassile, iweiss, janstey, jbuscemi, jkoehler, jmartisk, jnethert, jolong, jpechane, jrokos, jsamir, kaycoth, kingland, kverlaen, lphiri, lthon, manderse, matzew, mnovotny, mosmerov, msochure, msvehla, nipatil, nwallace, oezr, olubyans, pantinor, parichar, pberan, pbizzarr, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rguimara, rkubis, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, sthirugn, swoodman, tasato, tcunning, tom.jenkinson, tqvarnst, vkrizan, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
In Eclipse Vert.x, when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-22 15:02:16 UTC 
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories within a served path can craft filenames containing malicious script or HTML content, leading to stored cross-site scripting (XSS) that executes in the context of users viewing the affected directory listing.
Comment 2 errata-xmlrpc 2025-12-16 23:14:33 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 3.1.0

Via RHSA-2025:23417 https://access.redhat.com/errata/RHSA-2025:23417