Security Advisory GHSA-h5fg-jpgr-rv9c (CVE-2025-11965) - Vert.x Web version 4.5.21 in Quarkus 3.27.0 LTS

[securitybot1992]

Hi Team,
We recently conducted a vulnerability scan of our application's container image, which identified security vulnerability (GHSA-h5fg-jpgr-rv9c, also tracked as CVE-2025-11965) related to the io.vertx:vertx-web dependency.

This dependency is managed and embedded within our current Quarkus version (3.27.0 LTS). The specific version of vertx-web being pulled into our project is 4.5.21:
[INFO] | - io.vertx:vertx-web:jar:4.5.21:compile

Is it safe and recommended for us to manually override the vertx-web version in the pom.xml, extracted from the BOM of Quarkus, to force the use of the patched version 4.5.22?

Or, should we avoid manual overrides due to potential compatibility risks within the Quarkus ecosystem and wait for an official Quarkus patch release that natively upgrades the Vert.x Web dependency?

We appreciate any guidance on the recommended approach to address this vulnerability.

Thank you.

[quarkus-bot[bot]]

/cc @sberyozkin (security)

[cescoffier]

Quarkus is not affected by this CVE as the settings are not exposed. So, except if you are using the affected classes directly in your code, you are fine.

As far as I know, you should be safe to update that dependency manually if you need, but we are proceeding with the updates too (to keep a single vert.x version everywhere)