Primary

Context

Vaadin Upload Validation Bypass Vulnerability

Vulnerability

Patched

A vulnerability exists in Vaadin Upload components that allows users to bypass upload validation when the start listener is used to check metadata of incoming files. This issue affects several Vaadin versions, including Vaadin 7, 8, 14, 23, and 24, as well as the Vaadin Upload Flow component in corresponding versions. The vulnerability arises from improper input validation, enabling potential manipulation of upload metadata to circumvent established validation rules.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, potentially allowing for the upload of malicious files that could be executed or processed by the application.

Remediation

Users should upgrade to Vaadin versions 7.7.48, 8.28.2, 14.13.1, 23.6.2, or 24.7.7 and newer. For Vaadin Upload Flow, upgrade to versions 14.13.1, 23.6.2, or 24.7.7 and newer. Note that Vaadin versions 10-13 and 15-22 are no longer supported, and users should update to the latest version of 14, 23, or 24.

Added: Sep 4, 2025, 11:38 AM

Updated: Sep 4, 2025, 6:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.3

remediation

7.7

relevance

0.4

threat

0.0

urgency

1.4

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

3.3

remediation

7.7

relevance

0.4

threat

0.0

urgency

1.4

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vaadin Upload Validation Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Vaadin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating