Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2,106 maven packages depend on io.vertx:vertx-core (166 direct, 1,940 indirect)
Ecosystem-wide dependent count for version 4.3.4.
DescriptionCVE.org
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
AnalysisAI
Wildcard TLS certificate validation in Eclipse Vert.x allows remote attackers to bypass Server Name Indication (SNI) hostname verification by presenting arbitrary subdomains matching wildcard patterns, potentially disclosing sensitive server configuration and enabling certificate reuse across unintended service endpoints. The vulnerability affects Vert.x versions using unbounded SNI cache mechanisms without proper hostname validation constraints, and is fixed by implementing bounded LRU caching with proper synchronization and hostname matching enforcement.
Technical ContextAI
The vulnerability exists in Eclipse Vert.x's TLS/SSL implementation, specifically in the SslContextProvider and SslContextManager classes that handle Server Name Indication (SNI) hostname resolution during TLS handshakes. The root cause is improper cache management in the SNI lookup mechanism: the original implementation used unbounded ConcurrentHashMap structures to cache SSL contexts keyed by server name. When a client presents a TLS SNI extension with a hostname matching a wildcard certificate pattern (e.g., *.example.com), the server accepts any XYZ.example.com variant without proper validation that the requested hostname is actually authorized for that certificate. This allows an attacker to request SSL contexts for arbitrary subdomain names that match the wildcard pattern, causing the server to return valid SSL contexts intended for different purposes. The fix introduces an LruCache (Least Recently Used cache) with bounded size (DEFAULT_SNI_CACHE_SIZE=16) to limit memory exposure and proper synchronization to prevent race conditions in multi-threaded scenarios. The underlying protocol involved is TLS 1.2/1.3 with SNI (RFC 6066), which allows clients to specify the intended server hostname during the handshake to support virtual hosting over TLS.
RemediationAI
Upgrade Eclipse Vert.x to a patched version that includes PR #6102 or later. The upstream fix is available in the GitHub repository (https://github.com/eclipse-vertx/vert.x/pull/6102) and the security advisory at https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6. Check the Vert.x release notes for the specific release version incorporating this fix (likely 4.x.x or 5.x.x depending on your branch). As a temporary mitigation before patching: (1) Disable SNI if not required by setting setSni(false) in NetServerOptions and NetClientOptions-trade-off is loss of virtual hostname support over TLS; (2) Replace wildcard certificates (*.example.com) with subject alternative names (SANs) listing only the intended subdomains-trade-off is certificate management complexity; (3) Implement an external reverse proxy with proper hostname validation before requests reach the Vert.x application, forwarding only validated hostnames-trade-off is additional infrastructure overhead. The patch itself modifies SNI caching from unbounded ConcurrentHashMap to bounded LruCache with size 16, adds synchronization to prevent race conditions, and tightens hostname matching validation logic in SslContextProvider.
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that sho
In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do not assert that the XSRF Cookie matches the returne
In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML type validator creates XML parsers without taking
In Eclipse Vert.x version 4.3.0 to 4.5.9, the gRPC server does not limit the maximum length of message payload (Maven GA
In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP upgrade implementation buffers the full http reques
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter car
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27655
GHSA-3g76-f9xq-8vp6