CVE-2025-9467

04.09.2025, 10:42

When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload validation. 


Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version
Vaadin 7.0.0 - 7.7.47
Vaadin 8.0.0 - 8.28.1
Vaadin 14.0.0 - 14.13.0
Vaadin 23.0.0 - 23.6.1
Vaadin 24.0.0 - 24.7.6

Mitigation
Upgrade to 7.7.48
Upgrade to 8.28.2
Upgrade to 14.13.1
Upgrade to 23.6.2
Upgrade to 24.7.7 or newer

Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24 version.

Artifacts  Maven coordinatesVulnerable versionsFixed versioncom.vaadin:vaadin-server
7.0.0 - 7.7.47
7.7.48
com.vaadin:vaadin-server
8.0.0 - 8.28.1
8.28.2
com.vaadin:vaadin
14.0.0 - 14.13.0
14.13.1
com.vaadin:vaadin23.0.0 - 23.6.1
23.6.2
com.vaadin:vaadin24.0.0 - 24.7.6
24.7.7com.vaadin:vaadin-upload-flow
2.0.0 - 14.13.0
14.13.1
com.vaadin:vaadin-upload-flow
23.0.0 - 23.6.1
23.6.2
com.vaadin:vaadin-upload-flow
24.0.0 - 24.7.6
24.7.7

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
Vaadin	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Vulnerability Media Exposure

[GERMAN] Vaadin: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Vaadin ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Published: 2025-09-03T22:00:00+00:00

References

https://vaadin.com/security/cve-2025-9467