CVE-2026-1002
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-02-05
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | vert.x | to 4.5.24 (inc) |
| eclipse | vert.x | to 4.3.7 (inc) |
| eclipse | vert.x | to 3.9.5 (inc) |
| eclipse | vert.x | to 5.0.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1002 is a vulnerability in the Vert.x Web static handler component where the cache can be corrupted by specially crafted request URIs containing encoded segments like "%2F..%2F" (representing "/../"). The issue stems from improper URI path normalization according to RFC 3986, specifically the failure to correctly remove dot-segments in certain cases. This causes the static handler to cache non-existent file paths as missing, leading to denial of access to static files by returning HTTP 404 errors even for valid requests. The problem arises because the method responsible for removing dot-segments does not properly handle paths that do not start with a slash, resulting in incorrect cache entries. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial of access to static files served by the Vert.x Web static handler. When an attacker sends a specially crafted URI containing encoded dot-segments, it corrupts the static handler's cache, causing valid requests for static files to return HTTP 404 errors. This means legitimate users may be unable to access static resources, potentially disrupting service availability or user experience. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests containing the encoded segment "%2F..%2F" in the URI path to the Vert.x Web static handler and observing if the server returns HTTP 404 responses incorrectly and if subsequent valid requests to the same resource also return HTTP 404 due to cache corruption. For example, you can use curl commands as follows: 1) curl "http://host/foo/index.html" - should return HTTP 200. 2) curl "http://host/foo/bar%2F..%2Findex.html" - should return HTTP 404 and corrupt the cache. 3) curl "http://host/foo/index.html" again - if it returns HTTP 404, the vulnerability is present due to cache corruption. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, disable the static handler cache in the Vert.x Web static handler component by configuring it as follows: StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); This prevents cache corruption caused by the vulnerability.