DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1002: Ghost in the Machine: Vert.x Cache Poisoning DoS

#security #cve #cybersecurity

Ghost in the Machine: Vert.x Cache Poisoning DoS

Vulnerability ID: CVE-2026-1002
CVSS Score: 6.9
Published: 2026-01-15

A logic error in URI normalization allows unauthenticated attackers to poison the Vert.x StaticHandler cache, causing persistent Denial of Service for legitimate files.

TL;DR

By sending a specifically crafted URL containing encoded dot segments, an attacker can trick the Vert.x web server into caching a '404 Not Found' response for a legitimate file. Subsequent requests from valid users will receive the cached 404, effectively making the file vanish from the web until the cache expires or the server restarts.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-444 (Inconsistent Interpretation of HTTP Requests)
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network (Unauthenticated)
  • Impact: Denial of Service (Cache Poisoning)
  • Fix Commit: d007e7b418543eb1567fe95cf20f5450a5c2d047
  • Protocol: HTTP/1.1, HTTP/2

Affected Systems

  • Vert.x Web 4.0.0 through 4.5.23
  • Vert.x Web 5.0.0 through 5.0.6
  • Eclipse Vert.x: >= 4.0.0, <= 4.5.23 (Fixed in: 4.5.24)
  • Eclipse Vert.x: >= 5.0.0, <= 5.0.6 (Fixed in: 5.0.7)

Code Analysis

Commit: d007e7b

Fix RFC 3986 Rule C implementation in HttpUtils removeDots

-        int pos = obuf.lastIndexOf("/");
-        if (pos != -1) {
-          obuf.delete(pos, obuf.length());
-        }
+        int pos = obuf.lastIndexOf("/");
+        obuf.setLength(pos == -1 ? 0 : pos);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • N/A: Original issue report demonstrating the dot segment normalization failure.

Mitigation Strategies

  • Update Vert.x dependencies immediately.
  • Disable StaticHandler caching if immediate update is impossible.
  • Implement WAF rules to block encoded dot segments in paths.

Remediation Steps:

  1. Identify all services using io.vertx:vertx-web.
  2. Update pom.xml or build.gradle to use version 4.5.24 or 5.0.7.
  3. Rebuild and redeploy the application.
  4. Flush any intermediate CDNs or proxies that might have cached the 404s upstream.

References

Read the full report for CVE-2026-1002 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)