Request to upgrade the vertex.io to 4.5.22 due to a security vulnerability being reported. High severity vulnerability-CWE-552

[AnukulPK]

Hi Team,

One of our project has recently been flagged with a high vulnerability for io.vertx:vertex-web

The vulnerability states that files or directories are accessible to external parties.

This has been resolved in version 4.5.22
Reference: https://vertx.io/blog/eclipse-vert-x-4-5-22/

Could this upgrade in version be prioritised soon.

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[sberyozkin]

@AnukulPK Can you please forward your request to [email protected], and give more details about the CVE

[lloydmeta]

https://vertx.io/blog/eclipse-vert-x-4-5-22/ lists two

https://www.cve.org/CVERecord?id=CVE-2025-11965 is I think the most pertinent

In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').

It scores as 8.3 High under CVSS v4 https://security.snyk.io/vuln/SNYK-JAVA-IOVERTX-13669868

[AnukulPK]

I received a reply from the quarkus team that they are looking to upgrade the version and roll out the changes in quarkus 3.30 and 3.27.x and 3.20.x.

[cescoffier]

I want to add that Quarkus was NOT affected. However, we proceeded with the update nonetheless.