Julien Viet

Name of the Vulnerable Software and Affected Versions: Eclipse Vert.x versions 4.3.0 through 4.5.9 Description: The gRPC server in Eclipse Vert.x does not limit the maximum length of message payload, which can lead to potential issues. This issue does not affect the Vert.x gRPC server based on grpc-java and Netty libraries. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. Recommendations: For Eclipse Vert.x versions 4.3.0 through 4.5.9, update to version 4.5.10 or later to fix the issue. As a temporary workaround, consider restricting the maximum length of message payload in the gRPC server configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Eclipse Vert.x versions 3.0.0 through 3.5.2 **Description** The issue allows replay attacks with previously issued tokens that have not expired yet, due to the CSRFHandler not asserting that the XSRF Cookie matches the returned XSRF header or form parameter. **Recommendations** For Eclipse Vert.x versions 3.0.0 through 3.5.2, consider disabling the CSRFHandler until a patch is available to prevent replay attacks. Restrict access to sensitive operations that rely on the XSRF token to minimize the risk of exploitation.