Vulnerability from cleanstart

Published

2026-01-30 14:00

Modified

2026-01-29 18:58

Summary

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session

Details

Multiple security vulnerabilities affect the keycloak package. It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. See references for individual vulnerability details.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "keycloak"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.5.0-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the keycloak package. It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-SG80587",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T14:00:21.027172Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-SG80587.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-12158"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-12159"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-45p5-v273-3qqr"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-5rfx-cp42-p624"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-84h7-rjj3-6jx4"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/GHSA-h5fg-jpgr-rv9c"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12158"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12159"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session",
  "upstream": [
    "CVE-2017-12158",
    "CVE-2017-12159",
    "GHSA-45p5-v273-3qqr",
    "GHSA-5rfx-cp42-p624",
    "GHSA-84h7-rjj3-6jx4",
    "GHSA-h5fg-jpgr-rv9c"
  ]
}

CVE-2017-12158 (GCVE-0-2017-12158)

Vulnerability from cvelistv5 – Published: 2017-10-26 17:00 – Updated: 2024-09-16 23:36

Summary

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

Severity ?

No CVSS data available.

CWE

CWE-444

Assigner

redhat

References

URL

	Vendor	Product	Version
	Red Hat, Inc.	keycloak	Affected: 3.4.0

CVE-2017-12159 (GCVE-0-2017-12159)

Vulnerability from cvelistv5 – Published: 2017-10-26 17:00 – Updated: 2024-09-16 21:02

Summary

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

Severity ?

No CVSS data available.

CWE

CWE-613

Assigner

redhat

References

URL

	Vendor	Product	Version
	Red Hat, Inc.	keycloak	Affected: 3.4.0

GHSA-H5FG-JPGR-RV9C

Vulnerability from github – Published: 2025-10-22 19:38 – Updated: 2025-10-22 19:38

Summary

Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories

Details

Description

There is a flaw in the hidden file protection feature of Vert.x Web’s StaticHandler when setIncludeHidden(false) is configured.

In the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (.) are treated as “hidden” and are blocked from being served. However, this logic fails in the following cases:

Files under hidden directories: For example, /.secret/config.txt — although .secret is a hidden directory, the file config.txt itself does not start with a dot, so it gets served.
Real-world impact: Sensitive files placed in hidden directories like .git, .env, .aws may become publicly accessible.

As a result, the behavior does not meet the expectations set by the includeHidden=false configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.

Steps to Reproduce

1. Prepare test environment

# Create directory structure
mkdir -p src/test/resources/webroot/.secret
mkdir -p src/test/resources/webroot/.git

# Place test files
echo "This is a visible file" > src/test/resources/webroot/visible.txt
echo "This is a hidden file" > src/test/resources/webroot/.hidden.txt
echo "SECRET DATA: API_KEY=abc123" > src/test/resources/webroot/.secret/config.txt
echo "Git config data" > src/test/resources/webroot/.git/config

2. Implement test server

import io.vertx.core.AbstractVerticle;
import io.vertx.core.Vertx;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.handler.StaticHandler;

public class StaticHandlerTestServer extends AbstractVerticle {
  @Override
  public void start() {
    Router router = Router.router(vertx);

    // Configure to not serve hidden files
    StaticHandler staticHandler = StaticHandler.create("src/test/resources/webroot")
      .setIncludeHidden(false)
      .setDirectoryListing(false);

    router.route("/*").handler(staticHandler);

    vertx.createHttpServer()
      .requestHandler(router)
      .listen(8082);
  }

  public static void main(String[] args) {
    Vertx vertx = Vertx.vertx();
    vertx.deployVerticle(new StaticHandlerTestServer());
  }
}

3. Confirm the vulnerability

# Normal file (accessible)
curl http://localhost:8082/visible.txt
# Result: 200 OK

# Hidden file (correctly blocked)
curl http://localhost:8082/.git
# Result: 404 Not Found

# File under hidden directory (vulnerable)
curl http://localhost:8082/.git/config
# Result: 200 OK - Returns contents of Git config

Potential Impact

1. Information Disclosure

Examples of sensitive files that could be exposed:

.git/config: Git repository settings (e.g., remote URL, credentials)
.env/*: Environment variables (API keys, DB credentials)
.aws/credentials: AWS access keys
.ssh/known_hosts: SSH host trust info
.docker/config.json: Docker registry credentials

2. Attack Scenarios

Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.
Especially dangerous for .git/HEAD, .git/config, .git/objects/* — which may allow full reconstruction of source code.

3. Affected Scope

Affected version: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)
Environments: All OSes (Windows, Linux, macOS)
Configurations: All applications using StaticHandler.setIncludeHidden(false)

Severity ?

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-11965"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-552"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-22T19:38:04Z",
    "nvd_published_at": "2025-10-22T15:15:31Z",
    "severity": "MODERATE"
  },
  "details": "# Description\n\nThere is a flaw in the hidden file protection feature of Vert.x Web\u2019s `StaticHandler` when `setIncludeHidden(false)` is configured.\n\nIn the current implementation, only files whose final path segment (i.e., the file name) begins with a dot (`.`) are treated as \u201chidden\u201d and are blocked from being served. However, this logic fails in the following cases:\n\n- **Files under hidden directories**: For example, `/.secret/config.txt` \u2014 although `.secret` is a hidden directory, the file `config.txt` itself does not start with a dot, so it gets served.\n- **Real-world impact**: Sensitive files placed in hidden directories like `.git`, `.env`, `.aws` may become publicly accessible.\n\nAs a result, the behavior does not meet the expectations set by the `includeHidden=false` configuration, which should ideally protect all hidden files and directories. This gap may lead to unintended exposure of sensitive information.\n\n# Steps to Reproduce\n\n```bash\n1. Prepare test environment\n\n# Create directory structure\nmkdir -p src/test/resources/webroot/.secret\nmkdir -p src/test/resources/webroot/.git\n\n# Place test files\necho \"This is a visible file\" \u003e src/test/resources/webroot/visible.txt\necho \"This is a hidden file\" \u003e src/test/resources/webroot/.hidden.txt\necho \"SECRET DATA: API_KEY=abc123\" \u003e src/test/resources/webroot/.secret/config.txt\necho \"Git config data\" \u003e src/test/resources/webroot/.git/config\n```\n\n```java\n2. Implement test server\n\nimport io.vertx.core.AbstractVerticle;\nimport io.vertx.core.Vertx;\nimport io.vertx.ext.web.Router;\nimport io.vertx.ext.web.handler.StaticHandler;\n\npublic class StaticHandlerTestServer extends AbstractVerticle {\n  @Override\n  public void start() {\n    Router router = Router.router(vertx);\n\n    // Configure to not serve hidden files\n    StaticHandler staticHandler = StaticHandler.create(\"src/test/resources/webroot\")\n      .setIncludeHidden(false)\n      .setDirectoryListing(false);\n\n    router.route(\"/*\").handler(staticHandler);\n\n    vertx.createHttpServer()\n      .requestHandler(router)\n      .listen(8082);\n  }\n\n  public static void main(String[] args) {\n    Vertx vertx = Vertx.vertx();\n    vertx.deployVerticle(new StaticHandlerTestServer());\n  }\n}\n```\n\n```bash\n3. Confirm the vulnerability\n\n# Normal file (accessible)\ncurl http://localhost:8082/visible.txt\n# Result: 200 OK\n\n# Hidden file (correctly blocked)\ncurl http://localhost:8082/.git\n# Result: 404 Not Found\n\n# File under hidden directory (vulnerable)\ncurl http://localhost:8082/.git/config\n# Result: 200 OK - Returns contents of Git config\n```\n\n# Potential Impact\n\n## 1. Information Disclosure\n\nExamples of sensitive files that could be exposed:\n\n- `.git/config`: Git repository settings (e.g., remote URL, credentials)\n- `.env/*`: Environment variables (API keys, DB credentials)\n- `.aws/credentials`: AWS access keys\n- `.ssh/known_hosts`: SSH host trust info\n- `.docker/config.json`: Docker registry credentials\n\n## 2. Attack Scenarios\n\n- Attackers can guess common hidden directory names and enumerate filenames under them to access confidential data.\n- Especially dangerous for `.git/HEAD`, `.git/config`, `.git/objects/*` \u2014 which may allow full reconstruction of source code.\n\n## 3. Affected Scope\n\n- **Affected version**: Vert.x Web 5.1.0-SNAPSHOT (likely earlier versions as well)\n- **Environments**: All OSes (Windows, Linux, macOS)\n- **Configurations**: All applications using `StaticHandler.setIncludeHidden(false)`",
  "id": "GHSA-h5fg-jpgr-rv9c",
  "modified": "2025-10-22T19:38:04Z",
  "published": "2025-10-22T19:38:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-h5fg-jpgr-rv9c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11965"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vert-x3/vertx-web"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/304"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vert.x-Web Access Control Flaw in StaticHandler\u2019s Hidden File Protection for Files Under Hidden Directories"
}

GHSA-45P5-V273-3QQR

Vulnerability from github – Published: 2025-10-22 19:38 – Updated: 2026-01-21 16:37

Summary

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Details

Description

In the StaticHandlerImpl#sendDirectoryListing(...) method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping.
As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.
Affected Code:
- File: vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java
- Lines:
  - 709–713: normalizedDir is constructed without escaping
  - 714–731: <li><a ...> elements insert file names directly into attributes and body without escaping
  - 744: parent directory name construction
  - 746–751: {directory}, {parent}, and {files} are inserted into the HTML template without escaping

Reproduction Steps

Prerequisites:
- Directory listing is enabled using StaticHandler
  (e.g., StaticHandler.create("public").setDirectoryListing(true))
- The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)
Create a malicious file name (example for Unix-based OS):
- Create an empty file in public/ with one of the following names:
- <img src=x onerror=alert('XSS')>.txt
- Or attribute injection: evil" onmouseover="alert('XSS')".txt
- Example: bash mkdir -p public printf 'test' > "public/<img src=x onerror=alert('XSS')>.txt"
Start the server (example):
- Routing: router.route("/public/*").handler(StaticHandler.create("public").setDirectoryListing(true));
- Server: vertx.createHttpServer().requestHandler(router).listen(8890);
Verification request (raw HTTP): GET /public/ HTTP/1.1 Host: 127.0.0.1:8890 Accept: text/html Connection: close
Example response excerpt: html <ul id="files"> <li> <a href="/public/<img src=x onerror=alert('XSS')>.txt" title="<img src=x onerror=alert('XSS')>.txt"> <img src=x onerror=alert('XSS')>.txt </a> </li> ... </ul>
When accessing /public/ in a browser, the unescaped file name is interpreted as HTML, and event handlers such as onerror are executed.

Potential Impact

Stored XSS
- Arbitrary JavaScript executes in the browser context of users viewing the listing page
- Possible consequences:
  - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens
  - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)
  - Watering hole attacks, including malware distribution or malicious script injection to other pages
Common Conditions That Make Exploitation Easier
- Uploaded files are served directly under a publicly accessible directory
- Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed
- ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments

Similar CVEs Previously Reported

CVE‑2024‑32966
CVE‑2019‑15603

Severity ?

4.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

2.3 (Low)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "io.vertx:vertx-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-11966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-22T19:38:11Z",
    "nvd_published_at": "2025-10-22T15:15:31Z",
    "severity": "LOW"
  },
  "details": "# Description\n\n- In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly embedded into the `href`, `title`, and link text without proper HTML escaping.\n- As a result, in environments where an attacker can control file names, injecting HTML/JavaScript is possible. Simply accessing the directory listing page will trigger an XSS.\n- Affected Code:\n    - File: `vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java`\n    - Lines:\n        - 709\u2013713: `normalizedDir` is constructed without escaping\n        - 714\u2013731: `\u003cli\u003e\u003ca ...\u003e` elements insert file names directly into attributes and body without escaping\n        - 744: parent directory name construction\n        - 746\u2013751: `{directory}`, `{parent}`, and `{files}` are inserted into the HTML template without escaping\n\n# Reproduction Steps\n\n1. Prerequisites:\n    - Directory listing is enabled using `StaticHandler`  \n      (e.g., `StaticHandler.create(\"public\").setDirectoryListing(true)`)\n    - The attacker has the ability to create arbitrary file names under a public directory (e.g., via upload functionality or a shared directory)\n\n2. Create a malicious file name (example for Unix-based OS):\n    - Create an empty file in `public/` with one of the following names:\n      - `\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt`\n      - Or attribute injection: `evil\" onmouseover=\"alert(\u0027XSS\u0027)\".txt`\n    - Example:\n      ```bash\n      mkdir -p public\n      printf \u0027test\u0027 \u003e \"public/\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\n      ```\n\n3. Start the server (example):\n    - Routing: `router.route(\"/public/*\").handler(StaticHandler.create(\"public\").setDirectoryListing(true));`\n    - Server: `vertx.createHttpServer().requestHandler(router).listen(8890);`\n\n4. Verification request (raw HTTP):\n    ```\n    GET /public/ HTTP/1.1\n    Host: 127.0.0.1:8890\n    Accept: text/html\n    Connection: close\n    ```\n\n5. Example response excerpt:\n    ```html\n    \u003cul id=\"files\"\u003e\n      \u003cli\u003e\n        \u003ca href=\"/public/\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\n           title=\"\u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\"\u003e\n           \u003cimg src=x onerror=alert(\u0027XSS\u0027)\u003e.txt\n        \u003c/a\u003e\n      \u003c/li\u003e\n      ...\n    \u003c/ul\u003e\n    ```\n\n- When accessing `/public/` in a browser, the unescaped file name is interpreted as HTML, and event handlers such as `onerror` are executed.\n\n# Potential Impact\n\n- **Stored XSS**\n    - Arbitrary JavaScript executes in the browser context of users viewing the listing page\n    - Possible consequences:\n        - Theft of session tokens, JWTs, localStorage contents, or CSRF tokens\n        - Unauthorized actions with admin privileges (user creation, permission changes, settings modifications)\n        - Watering hole attacks, including malware distribution or malicious script injection to other pages\n\n- **Common Conditions That Make Exploitation Easier**\n    - Uploaded files are served directly under a publicly accessible directory\n    - Shared/synced directories (e.g., NFS, SMB, WebDAV, or cloud sync) are exposed\n    - ZIP/TAR archives are extracted directly under the webroot and directory listing is enabled in production environments\n\n# Similar CVEs Previously Reported\n\n- CVE\u20112024\u201132966  \n- CVE\u20112019\u201115603",
  "id": "GHSA-45p5-v273-3qqr",
  "modified": "2026-01-21T16:37:06Z",
  "published": "2025-10-22T19:38:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vert-x3/vertx-web/security/advisories/GHSA-45p5-v273-3qqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11966"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vert-x3/vertx-web"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/303"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names"
}

GHSA-5RFX-CP42-P624

Vulnerability from github – Published: 2026-01-07 18:09 – Updated: 2026-01-07 20:37

Summary

Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write

Details

A vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application.

Workarounds

For versions without the fix applied, it is recommended to implement a health check that monitors the status and saturation of the worker thread pool. This helps detect abnormal thread retention early and allows operators to take corrective action before the application’s responsiveness is impacted.

Credits

CVE reported by Shaswata Jash, Nokia

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.20.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.21.0"
            },
            {
              "fixed": "3.27.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus:quarkus-rest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.30.0"
            },
            {
              "fixed": "3.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66560"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-07T18:09:56Z",
    "nvd_published_at": "2026-01-07T18:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently blocked. Under sustained or repeated occurrences, this can exhaust the available worker threads, leading to degraded performance, or complete unavailability of the application.\n\n## Workarounds\n\nFor versions without the fix applied, it is recommended to implement a health check that monitors the status and saturation of the worker thread pool. This helps detect abnormal thread retention early and allows operators to take corrective action before the application\u2019s responsiveness is impacted.\n\n## Credits\n\nCVE reported by Shaswata Jash, Nokia",
  "id": "GHSA-5rfx-cp42-p624",
  "modified": "2026-01-07T20:37:40Z",
  "published": "2026-01-07T18:09:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-5rfx-cp42-p624"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66560"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkusio/quarkus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write"
}

GHSA-84H7-RJJ3-6JX4

Vulnerability from github – Published: 2025-12-15 23:28 – Updated: 2025-12-20 02:30

Summary

Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder

Details

Summary

The io.netty.handler.codec.http.HttpRequestEncoder CRLF injection with the request uri when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the uri.

Details

The HttpRequestEncoder simply UTF8 encodes the uri without sanitization (buf.writeByte(SP).writeCharSequence(uriCharSequence, CharsetUtil.UTF_8);)

The default implementation of HTTP headers guards against such possibility already with a validator making it impossible with headers.

PoC

Simple reproducer:

public static void main(String[] args) {

  EmbeddedChannel client = new EmbeddedChannel();
  client.pipeline().addLast(new HttpClientCodec());

  EmbeddedChannel server = new EmbeddedChannel();
  server.pipeline().addLast(new HttpServerCodec());
  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
      System.out.println("Processing msg " + msg);
    }
  });

  DefaultHttpRequest request = new DefaultHttpRequest(
    HttpVersion.HTTP_1_1,
    HttpMethod.GET,
    "/s1 HTTP/1.1\r\n" +
      "\r\n" +
      "POST /s2 HTTP/1.1\r\n" +
      "content-length: 11\r\n\r\n" +
      "Hello World" +
      "GET /s1"
  );
  client.writeAndFlush(request);
  ByteBuf tmp;
  while ((tmp = client.readOutbound()) != null) {
    server.writeInbound(tmp);
  }
}

Impact

Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0.Alpha1"
            },
            {
              "fixed": "4.2.8.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-http"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.129.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-67735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-15T23:28:49Z",
    "nvd_published_at": "2025-12-16T01:15:52Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `io.netty.handler.codec.http.HttpRequestEncoder` CRLF injection with the request uri when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the uri.\n\n### Details\n\nThe `HttpRequestEncoder` simply UTF8 encodes the `uri` without sanitization (`buf.writeByte(SP).writeCharSequence(uriCharSequence, CharsetUtil.UTF_8);`)\n\nThe default implementation of HTTP headers guards against such possibility already with a validator making it impossible with headers.\n\n### PoC\n\nSimple reproducer:\n\n```java\npublic static void main(String[] args) {\n\n  EmbeddedChannel client = new EmbeddedChannel();\n  client.pipeline().addLast(new HttpClientCodec());\n\n  EmbeddedChannel server = new EmbeddedChannel();\n  server.pipeline().addLast(new HttpServerCodec());\n  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {\n    @Override\n    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {\n      System.out.println(\"Processing msg \" + msg);\n    }\n  });\n\n  DefaultHttpRequest request = new DefaultHttpRequest(\n    HttpVersion.HTTP_1_1,\n    HttpMethod.GET,\n    \"/s1 HTTP/1.1\\r\\n\" +\n      \"\\r\\n\" +\n      \"POST /s2 HTTP/1.1\\r\\n\" +\n      \"content-length: 11\\r\\n\\r\\n\" +\n      \"Hello World\" +\n      \"GET /s1\"\n  );\n  client.writeAndFlush(request);\n  ByteBuf tmp;\n  while ((tmp = client.readOutbound()) != null) {\n    server.writeInbound(tmp);\n  }\n}\n```\n\n### Impact\n\nAny application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection.",
  "id": "GHSA-84h7-rjj3-6jx4",
  "modified": "2025-12-20T02:30:14Z",
  "published": "2025-12-15T23:28:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-84h7-rjj3-6jx4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/commit/77e81f1e5944d98b3acf887d3aa443b252752e94"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netty/netty"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netty has a CRLF Injection vulnerability in io.netty.handler.codec.http.HttpRequestEncoder"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2017-12158 (GCVE-0-2017-12158)

CVE-2017-12159 (GCVE-0-2017-12159)

GHSA-H5FG-JPGR-RV9C

Description

Steps to Reproduce

Potential Impact

1. Information Disclosure

2. Attack Scenarios

3. Affected Scope

GHSA-45P5-V273-3QQR

Description

Reproduction Steps

Potential Impact

Similar CVEs Previously Reported

GHSA-5RFX-CP42-P624

Workarounds

Credits

GHSA-84H7-RJJ3-6JX4

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature